ReleaseNotes:Junos OSRelease 12.1X47-D10fortheSRXSeries · KnownBehavior.....19 ApplicationIdentificationandTracking.....19 CLIandJ-Web.....23

Release Notes: Junos®OS Release

12.1X47-D10 for the SRX Series

Release 12.1X47-D1017 September 2014Revision 3

Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Hardware Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Application Identification and Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . . . 7

Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . 7

General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Public Key Infrastructure (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Changes in Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Application Identification and Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Intrusion Detection Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

1Copyright © 2014, Juniper Networks, Inc.

Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19


CLI and J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . 23


General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Integrated User Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

IP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

TCP-Based DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Upgrade and Downgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28


Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28



General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35



General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Documentation Updates for the Junos OS Software Documentation . . . . . . 47

IDP Policies Feature Guide for Security Devices . . . . . . . . . . . . . . . . . . . . 47

Multicast Feature Guide for Security Devices . . . . . . . . . . . . . . . . . . . . . . 48

Various Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Copyright © 2014, Juniper Networks, Inc.2

Junos OS 12.1X47 Release Notes

Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . . . . . 50

End-of-Life Announcement for J Series devices and the low-Memory

Versions of SRX100 and SRX200 Lines . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Upgrading and Downgrading Among Junos OS Releases . . . . . . . . . . . . . . . . 51

Upgrading an AppSecure Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Network and Security Manager Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Upgrade and Downgrade Scripts for Address Book Configuration . . . . . . . . . 53

About Upgrade and Downgrade Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Running Upgrade and Downgrade Scripts . . . . . . . . . . . . . . . . . . . . . . . . 54

Upgrade and Downgrade Support Policy for Junos OS Releases . . . . . . 55

Upgrade Policy for Junos OS Extended End-Of-Life Releases . . . . . . . . 55

Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Transceiver Compatibility for SRX Series Devices . . . . . . . . . . . . . . . . . . 56

Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Hardware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Third-Party Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Finding More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59


Introduction

Junos OS runs on the following Juniper Networks®

hardware: ACX Series, EX Series, M

Series, MX Series, PTX Series, QFabric, QFX Series, SRX Series, and T Series.

These release notes accompany Junos OS Release 12.1X47-D10 for the SRX Series. They

describe new and changed features, known behavior, and known and resolved problems

in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation

webpage, located at https://www.juniper.net/techpubs/software/junos/.

New and Changed Features

This section describes the new features and enhancements to existing features in Junos

OS Release 12.1X47-D10 for the SRX Series.

• Hardware Features on page 4

• Software Features on page 5

Hardware Features

Interfaces and Chassis

• MICwith twenty 1-Gigabit Ethernet SFP ports (SRX-MIC-20GE-SFP) [SRX5400,

SRX5600, SRX5800]—MICs install into MPCs to add different combinations of Ethernet

interfaces to your services gateway to suit the specific needs of your network.

The SRX-MIC-20GE-SFP can be installed in an MPC to add twenty 1-Gigabit Ethernet

small form-factor pluggable (SFP) Ethernet ports.

You can install up to two MICs in the slots in each MPC. The SRX-MIC-20GE-SFP is

hot-pluggable. You can remove and replace the MIC without powering off the services

gateway, but the routing functions of the system are interrupted when the MIC is

removed.

[See MICwith 20x1GE SFP Interfaces (SRX-MIC-20GE-SFP.]

• Support forSFP+10-GigabitandQSFP+40-GigabitEthernettransceivers [SRX5400,

SRX5600, SRX5800]—The following transceivers are supported:

SupportedCardModelDescriptionTransceiver Model

SRX-MIC-10XG-SFPPSFP+ 10GBASE-LR Gigabit Ethernet opticmodule, 1310 nm for up to 10 km transmissionon single mode fiber (SMF) cable

SRX-SFPP-10G-LR

SRX-MIC-2X40G-QSFPQSFP+ 40GBASE-LR4 Gigabit Ethernetsingle-mode optic module, 1310 nm for up to10 km transmission on single mode fiber(SMF) cable

SRX-QSFP-40G-LR4



https://www.juniper.net/techpubs/software/junos/

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/srx-mic-20g-sfp.html

Software Features

Application Identification and Tracking

• Application-level distributed denial of service [SRX Series]—As announced in Junos

OS Release 12.1X46-D10, application-level distributed denial of service is being

deprecated in Junos OS Release 12.1X47-D10. This feature will be removed in a future

release per the Juniper Networks deprecation process. As a replacement product for

this feature, we recommend that you migrate to the Juniper Networks DDoS Secure

product line. For more details, contact your sales engineer.

• Default trusted CA certificates for SSL forward proxy [High-end SRX Series]—SSL

forward proxy uses trusted CA certificates for server authentication. Junos OS provides

a default list of trusted CA certificates that you can easily load on to your system using

adefault command option. Alternatively, you can continue to use the CA profile feature

to define your own list of trusted CA certificates and import them on to your system.

[See Services Offloading Overview.]

• Next-generationapplication identification [SRX100H2, SRX110H2-VA, SRX110H2-VB,

SRX210HE2, SRX210HE2-POE, SRX220H2, SRX220H2-POE, SRX240H2, SRX550,

SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and

SRX5800]—Next-generation application identification recognizes Web-based and

other applications and protocols at different network layers using characteristics other

than port number.

With next-generation application identification, applications are identified by using a

downloadable protocol bundle containing application signatures and parsing

information. Here, identification is based on protocol behavior and session management.

Next-generation application identification builds on the legacy application identification

functionality and provides more effective detection capabilities for evasive applications

such as Skype, BitTorrent, and Tor. It improves the accuracy of existing applications,

enables dynamic update of the detector engine without requiring Junos OS code

upgrade, and increases the application count to around 2900.

[See Application Identification Feature Guide for Security Devices.]

• Next-generation application identification predefined signatures [SRX100H2,

SRX110H2-VA, SRX110H2-VB, SRX210HE2, SRX210HE2-POE, SRX220H2,

SRX220H2-POE, SRX240H2, SRX550, SRX650, SRX1400, SRX3400, SRX3600,

SRX5400, SRX5600, and SRX5800]—Next-generation application identification

eliminates previously implemented pattern-based matching technology and particular

signature constructs for each application. The new detection mechanism has its own

data feed and constructs to identify applications. Next-generation application

identification eliminates the generation of nested application and treats nested

application as normal applications.

[See Application Identification Feature Guide for Security Devices.]



http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/security-low-latency-firewall-overview.html

http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-application-identification.html

http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-application-identification.html

Chassis Cluster

• Autorecoveryof fabric link [SRX Series]—The fabric link feature supports autorecovery,

which includes the following enhancements:

• Fabric monitoring feature is enabled by default on high-end SRX Series, and hence

recovery of fabric link and synchronization takes place automatically.

• If the fabric link goes down, RG1+ becomes ineligible on either the secondary node

or the node with failures, by default. The node remains in this state until the fabric

link comes up or the other node goes away.

• If the fabric link goes down followed by the control link, then after approximately 66

seconds the secondary node (or the node with failures) assumes that the remote

node is dead and takes over as the primary node.

[See Understanding Chassis Cluster Fabric Links.]

• Enhanced debugging support for chassis cluster [SRX Series]—The chassis cluster

debugging functionality has the following enhancements:

• The showchassisclusterstatuscommand output includes failure reasons (acronyms

and their expansions) when the redundancy group's priority is zero.

• Cleaner jsrpd process includes removing unwanted logs and moving the debug log

message from level LOG_INFO to LOG_DEBUG.

• The show chassis cluster information command output displays redundancy group,

LED, and monitored failure details.

• SNMP traps send messages when a node's weight goes down and also when it

recovers.

• The show chassis cluster ip-monitoring command output displays both the global

threshold and the current threshold of each node and displays the weight of each

monitored IP address.

• A system log message appears when the control link goes down.

[See show chassis cluster ip-monitoring status.]

• In-service software upgrade (ISSU) progress display [High-end SRX Series]—ISSU

supports a progress indicator. During an upgrade, you can see the progress of an ISSU

and the time expected to complete a process. To enable this feature use the show

chassis cluster information issu command at the console. In addition, you can monitor

real-time ISSU progress through a new session to collect, report, and display cold

synchronization status on SPUs.

[See Understanding the Low-Impact ISSU Process on Devices in a Chassis Cluster.]

• NTP time synchronization in chassis cluster [SRX Series]—Network Time Protocol

(NTP) is used to synchronize the time between the Packet Forwarding Engine and the

Routing Engine in a standalone device and between two devices in a chassis cluster.

In standalone device and chassis cluster mode, the primary Routing Engine runs the

NTP process to get the time from the external NTP server. The secondary Routing



http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/chassis-cluster-fabric-links-understanding.html

http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/reference/command-summary/show-chassis-cluster-ip-monitoring-status-redundancy-group.html

http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/security-chassis-cluster-low-impact-issu-process-understanding.html

Engine uses NTP to get the time from the primary Routing Engine. On both standalone

devices and clusters, the Packet Forwarding Engine uses NTP to get the time from the

local Routing Engine.

[See Chassis Cluster Feature Guide for Security Devices.]

• Sync backup node configuration from primary node [SRX Series]—Chassis cluster

supports automatic configuration synchronization. When a secondary node joins a

standalone primary node and a chassis cluster is formed, the primary node configuration

is copied and applied to the secondary node. This enhancement saves the user from

spending time on manual copying of the configuration on both nodes.

[See SRX Series Chassis Cluster Configuration Overview.]

• TCP support for DNS [SRX Series]—Prior to Junos OS Release 12.1X47-D10, DNS

resolution was performed with UDP as a transport. Messages carried by UDP are

restricted to 512 bytes; longer messages are truncated and the traffic class (TC) bit is

set in the header. The maximum length of UDP DNS response messages is 512 bytes

and the maximum length of TCP DNS response message is 65,535 bytes. A DNS resolver

knows whether the response is complete if the TC bit when it is set in the header.

[See Reconnaissance Deterrence Feature Guide for Security Devices.]

Dynamic Host Configuration Protocol (DHCP)

• DHCPserverandDHCPclient [SRX Series]—The DHCP server and DHCP client include

chassis cluster support for high-end SRX Series devices in addition to branch SRX

Series devices.

[See Administration Guide for Security Devices.]

Flow-Based and Packet-Based Processing

• LAG support in services-offloadmode [High-end SRX Series]—LAGs are supported

in services-offload mode. LAG combines links and provides increased bandwidth and

link availability. Services offloading reduces packet latency by processing and forwarding

packets in the network processor instead of in the SPU. Supporting aggregation of

links in the services-offload mode combines the benefits of both these features and

provides enhanced throughput, link redundancy, and reduced packet latency.

[See Services Offloading Overview.]

• Services offloading [SRX5600 and SRX5800]—The following services offloading

features are supported:

• Per-wing statistics counters

• Services-offload traffic across different network processors

• End-to-end debugging in services-offload mode

[See Services Offloading Overview and Example: Configuring an NPC on SRX3000 Line

Devices or SRX1400 Devices to Support Services Offloading.]



http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-chassis-cluster.html

http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/task/operational/chassis-cluster-srx-series-creating.html

http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-attack-reconnaissance-deterrence.html#configuration

http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-swconfig-initial-device-config.html



http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/example/security-service-offload-npc-configuring.html

http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/example/security-service-offload-npc-configuring.html

General Packet Radio Service (GPRS)

• SCTP IPv6support [High-end SRX Series]—The SCTP module allows you to configure

the SCTP profile with an IPv6 address and then process the IPv6 traffic. The SCTP

module checks every extension header until it finds the SCTP header and then processes

the SCTP header and ignores all the other headers.

An SCTP endpoint can be a multihomed host with either all IPv4 addresses or all IPv6

addresses. An SCTP endpoint also supports NAT-PT in two directions, from an IPv4

address format to an IPv6 address format, and vice versa.

[See General Packet Radio Service Feature Guide for Security Devices.]

• SCTPmultichunk inspection [High-end SRX Series]—The SCTP firewall checks all

chunks in a message and then permits or drops the packet based on the policy. You

can enable the SCTP multichunk inspection and disable the SCTP chunk inspection

to check only the first chunk. If a data chunk is not allowed to pass through the SCTP

profile because of protocol blocking or rate limiting, the SCTP firewall resets this chunk

to a null PDU and continues to check the next chunk. If all chunks in a packet are null

PDUs, the SCTP firewall drops the packet.

[See General Packet Radio Service Feature Guide for Security Devices.]


• Promiscuousmode support on the SRX5K-MPC [SRX5400, SRX5600,

SRX5800]—Promiscuous mode function is supported on the SRX5000 line MPC

(SRX5K-MPC) on 1-Gigabit, 10-Gigabit, 40-Gigabit, and 100-Gigabit Ethernet interfaces

on the MICs.

By default, an interface enables MAC filtering. You can configure promiscuous mode

on the interface to disable MAC filtering. When you delete the promiscuous mode

configuration, the interface will perform MAC filtering again. You can change the MAC

address of the interface even when the interface is operating in promiscuous mode.

When the interface is operating in normal mode again, the MAC filtering function on

MPC uses the new MAC address to filter packets.

[See Understanding Promiscuous Mode on Ethernet Interfaces.]

J-Web

• Improved browser support for J-Web [SRX Series]—J-Web is enhanced to support

modern browsers like Microsoft Internet Explorer version 8.0, 9.0, and 10.0, Mozilla

Firefox version 23+, and Google Chrome version 28+ to provide cross-platform browser

compatibility.

The following tables shows the browser support for J-Web application.



http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-gprs.html

http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-gprs.html

http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/interface-security-ethernet-promiscuous-mode-understanding.html

Table 1: Browser Compatibility on SRX Series Devices

RecommendedBrowserSupported BrowsersApplicationDevice

Mozilla Firefoxversion 23+

• Microsoft Internet Explorerversion 8.0, 9.0, and 10.0

• Mozilla Firefox version 23+

• Google Chrome version28+

J-WebSRX100, SRX110, SRX210,SRX220, SRX240, SRX550,SRX650, SRX1400,SRX3400, SRX3600,SRX5400, SRX5600, andSRX5800

• J-Web support for chassis cluster wizard [SRX Series]—A new J-Web wizard is

introduced to support chassis clustering. J-Web provides a step-by-step wizard that

assists in setting up chassis cluster with a default basic configuration.

• J-WebUI improvements [SRX Series]—The J-Web user interface is improved for better

usability.

The following navigational changes are made to the Configuration tab:

• Additional filter options are enabled on the Interface Configuration page.

• Layout of the Zones and Screens page is enhanced.

• A few menu items are renamed for clarity.

• New buttons are introduced for launching wizards.

• Application tracking (previously on the Security Logging page) is moved to the

Application Tracking Configuration page.

The Dashboard tab includes a link for setting the rescue configuration.

Layer 2 Features

• Layer 2 transparentmode support on the SRX5K-MPC [SRX5400, SRX5600,

SRX5800]—Layer 2 transparent mode is supported on the SRX5000 line MPC

(SRX5K-MPC).

When the SRX5K-MPC is operating in Layer 2 mode, you can configure all interfaces

on the SRX5K-MPC as Layer 2 bridging ports to support Layer 2 traffic.

The SPU supports all security services for Layer 2 bridging functions, and the MPC

delivers the ingress packets to the SPU and forwards the egress packets that are

encapsulated by the SPU to the outgoing interfaces.

[See Layer 2 Bridging and Transparent Mode Overview.]

Multicast

• Layer 3multicast functionality on the SRX5K-MPC [SRX5400, SRX5600, and

SRX5800]—Layer 3 multicast functionality is supported on the SRX5000 line MPC

(SRX5K-MPC).



http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/security-layer2-bridging-transparent-mode-overview.html

The SRX5K-MPC collaborates with the Routing Engine, central point, and SPU to

support the following Layer 3 multicast functionality:

• Supports IP multicast routing protocols for forwarding multicast traffic

• Establishes and coordinates operations between multicast shared trees and

shortest-path tree (SPT)

• Forwards and receives IP multicast traffic

[See Multicast Feature Guide for Security Devices.]

Network Address Translation (NAT)

• Increased IP address pool limit [SRX5400, SRX5600, and SRX5800]—This feature

is only supported on SRX5000 line with the SPC II (SRX5K-SPC-4-15-320). This feature

increases the maximum number of IP addresses for NAT bindings to 1,000,000 from

12,000. When using more than 12,000 IP addresses, configure the twin port range to

limit the number of ports.

• Portblockallocation [High-end SRX Series]—This feature allocates ports to subscribers

in blocks and generates logs during block allocation or release. Deterministic port block

allocation allows the mapping of a subscriber’s IP address to an external address and

port number using predefined algorithms. This feature reduces excessive log generation.

To configure port block allocation, include the block-size, max-blocks-per-host,

block-active-timeout, and log statements at the [edit security nat pool pool-name port

block-allocation ] hierarchy level.

To configure deterministic port block allocation, include the block-size and host

statements at the [edit security source pool pool-name port deterministic ] hierarchy

level.

• Source and destination NAT rule application [SRX Series]—The rule match criteria

for source and destination NAT includes a new application option. This option enables

you to configure up to 3072 application terms per rule. In addition, you can configure

up to 8 single destination ports or port ranges with the rule match destination-port

option. Previously, you could configure only a single port or port range.

[See match (Security Destination NAT) and match (Security Source NAT).]

• Twin port configuration [SRX5400, SRX5600, and SRX5800]—This feature lets you

configure the twin port range for source NAT pools to avoid port overloading. The

maximum number of translation ports is 384 million. The default twin port range is

2048, which accommodates 12,000 IP addresses.

To set the global default twin port range for all source pools, use the set security nat

source pool-default-twin-port-range low to high statement.

To set the twin port range for a specific pool, use the set security nat source pool

pool-name port range twin-port low to high statement.

NOTE: If the twinport range isconfigured forasmaller range, thenattackerscanmore easily predict the translated port.



http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/config-guide-multicast/config-guide-multicast.html

http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/reference/configuration-statement/security-edit-match-destination-nat.html

http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/reference/configuration-statement/security-edit-match-source-nat.html

NetworkManagement andMonitoring

• IPmonitoring of reth interface LAGs [High-end SRX Series]—In addition to the reth

interface, IP monitoring through a redundant LAG is supported to take advantage of

both throughput and redundancy.

IP monitoring checks the end-to-end connectivity of configured IP addresses and allows

a redundancy group to automatically fail over when the monitored IP address is not

reachable through the reth interface. Both the primary and secondary devices in the

chassis cluster monitor specific IP addresses to determine whether an upstream device

in the network is reachable.

[See IP Monitoring Overview.]

• IPmonitoringwith interface asnext-hopoption [SRX Series]—IP monitoring enables

you to configure a static route with a P2P interface as a next-hop action when IP

monitoring has failed.

The following added functions support the track-ip option:

• Next-hop type checking: IP address or interface.

• Interface type checking for next-hop. Only a P2P interface is supported; an error

message results when the configuration is committed.

• You can use the interface as a next-hop to construct route parameters and call RPD

API to add a static route; log route addition results.

• You can use existing code to delete the route when the primary route recovers.

[See show services ip-monitoring status.]



http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/ip-monitoring-security-understanding.html

http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/reference/command-summary/show-services-ip-monitoring-status.html

Port Security

• UDP port scan protection [SRX Series]—The UDP port scanning feature is similar to

TCP port scanning in capabilities, user commands, and operational implementation.

The UDP port scanning option is disabled by default. The default threshold period

value is 5000 microseconds. You can manually set the threshold period value, which

ranges from 1000 to 1,000,000 microseconds. This feature protects against DDoS

attacks on some exposed public UDP services by allowing fewer than 10 new sessions

in the configured threshold period for each zone and source IP.

[See Understanding Port Scanning.]

Public Key Infrastructure (PKI)

• Online Certificate Status Protocol (OCSP) [SRX Series]—OCSP, like CRL, checks the

revocation status of X509 certificates. Requests are sent to the OCSP server(s)

configured in a CA profile with the oscp url statement at the [edit security pki ca-profile

profile-name revocation-check] hierarchy level. The use-ocsp option must also be

configured. If there is no response from the OCSP server, the request is then sent to

the location specified in the certificate's AuthorityInfoAccess extension.

[See Understanding Online Certificate Status Protocol.]

Routing Protocols

• OSPFv3 IPsec authentication and confidentiality [SRX Series]—OSPF for IPv6, also

known as OSPF version 3 (OSPFv3), does not have built-in authentication to ensure

that routing packets are not altered and re-sent to the router. IPsec can be used to

secure OSPFv3 interfaces and virtual links and provide encryption for OSPF packets.

To configure IPsec for OSPF/OSPFv3, define a security association (SA) with the

security-association sa-name configuration option at the [edit security ipsec] hierarchy

level. The configured SA is then applied it to the OSPF/OSPFv3 interface or virtual link

configuration.

[See Understanding OSPF and OSPFv3 Authentication on SRX Series Devices.]

Security Policy

• Integrated user firewall [SRX Series]—This feature retrieves user-to-IP address

mappings from the Windows Active Directory to use as match criteria in firewall policies.

The SRX Series device polls the event log of the Active Directory Controller (ADC) to

determine who has logged on. The username and group are queried from the LDAP

service in the ADC. The SRX Series device uses the IP address, username, and group

information to generate authentication entries that the UserFW module uses to enforce

user-based and group-based policy control over traffic.

• Multiplezones forpolicies [SRX Series]—This feature enables you to configure multiple

source zones and multiple destination zones in one global policy. Previously, you had

to create a separate policy for each from-zone/to-zone pair, even when other attributes,

such as source-address or destination-address were identical.

[See Global Policy Overview.]



http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/reconnaissance-deterrence-port-scan-understanding.html

http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/certificate-ocsp-unerstanding.html

http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/ospf-ospf3-authentication-srx-understanding.html

http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/security-policy-global-policy-overview.html

Unified Threat Management (UTM)

• Downloadable Kaspersky scan engine [Branch SRX Series]—The Kaspersky scan

engine is provided as a downloadable UTM module instead of a preinstalled, module

in UTM.

To use this feature, your SRX Series device must have an active UTM license. When

you install the KAV license the system automatically downloads the Kaspersky module

from the Juniper Networks server and runs it.

When you set the antivirus type to KAV, and if the SRX Series device had a preinstalled

Kaspersky engine, then the downloaded module replaces the original module on the

device. Regardless of the UTM license status, when the KAV license is deleted from

the device, the Kaspersky engine and all files associated with KAV are removed from

the system immediately.

[See Full Antivirus Protection Overview.]

• UTM license enforcement [SRX Series]—License enforcement is supported for UTM

features, including Sophos antivirus, enhanced Web filtering, and antispam filtering

on all high-end SRX Series devices in addition to branch SRX Series devices. You can

add or remove UTM licenses on SRX Series devices. Each feature license is tied to

exactly one software feature and is valid for exactly one device.

Table 2 on page 13 lists the license modules and the license names.

Table 2: UTM License Information

License NameUTMModule

av_key_sophos_engineSAV

anti_spam_key_sblAS

wf_key_websense_ewfEWF

[See License Enforcement.]

• UTM on next-generation SPC [SRX5400, SRX5600, and SRX5800]—This feature

provides support for UTM features, including Sophos antivirus, content filtering,

antispam, and enhanced Web filtering on next-generation SPCs.

VPNs

• HMAC-SHA-256-128 authentication [High-end SRX Series]—HMAC-SHA-256-128

authentication is supported for IPsec proposals and manual security associations on

high-end SRX Series devices. You can specify thehmac-sha-256-128option at the [edit

security ipsecproposalproposal-name] and the [editsecurity ipsecvpnvpn-namemanual]

hierarchy levels.

[See authentication (Security IPsec) and authentication-algorithm (Security IPsec).]



http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/utm-antivirus-full-protection-overview.html

http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/junos-license-enforcement.html

http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/reference/configuration-statement/security-edit-authentication.html

http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/reference/configuration-statement/security-edit-authentication-algorithm-ipsec.html

RelatedDocumentation

Changes in Behavior and Syntax on page 15•

• Known Behavior on page 19

• Known Issues on page 28

• Resolved Issues on page 34

• Documentation Updates on page 47

• Migration, Upgrade, and Downgrade Instructions on page 50



Changes in Behavior and Syntax

This section lists the changes in behavior of Junos OS features and changes in the syntax

of Junos OS statements and commands from Junos OS Release 12.1X47-D10.


• Next-generation application identification eliminates the generation of new nested

applications and treats existing nested applications as single applications. In addition,

next-generation application identification does not support custom applications or

custom application groups.

Existing configurations involving any nested applications, custom applications, or

custom application groups are ignored and the following warning messages are

displayed as system log messages:

APPID_CUSTOM_APP_UNSUPPORTED: Ignoring unsupported custom app configuration.APPID_CUSTOM_NESTAPP_UNSUPPORTED: Ignoring unsupported custom nested app configuration.APPID_CUSTOM_APPGRP_UNSUPPORTED: Ignoring unsupported custom app group configuration.

Though configurations commit successfully, related functionality will not be available.

For more information, see “Known Behavior” on page 19.

• When you upgrade to Junos OS Release 12.1X47-D10, you might have problems with

application firewall and application QoS rules not being enforced for some applications

and IDP policy load failures.

Applications or application groups for which services are not enforced or applications

that can cause IDP policy load failures are indicated by the following system log

message:

APPID_APP_GRP_UNSUPPORTED

Example:

APPID_APP_GRP_UNSUPPORTED: Ignoringunsupportedentry junos:JOOST inpath[edit

class-of-service application-traffic-control rule-sets RS8 rule 1 match application

junos:JOOST][editsecurity idpcustom-attackcs2attack-typesignatureprotocol-binding

nested-application JOOST]

APPID_APP_GRP_UNSUPPORTED: Ignoringunsupportedentry junos:PPLIVE inpath[edit

security application-firewall rule-sets apptest rule 1 match dynamic-application

junos:PPLIVE][editclass-of-serviceapplication-traffic-control rule-setsRS8rule 1match

application junos:PPLIVE]

To avoid these problems, we recommend that you upgrade to the latest signature

package.



NOTE: If you are using any applications or application groups that are notpresent in the latest signature package, youmust remove them fromapplication firewall and application QoS rules and IDP policies forinstallation to complete successfully.

Chassis Cluster

• Starting in Junos OS Release 12.1X46-D20, for all branch SRX Series devices in chassis

cluster mode, there is a node option available for all show chassis CLI commands. The

nodeoption displays status information for all FPCs or for the specified FPC on a specific

node (device) in the cluster.


• Prior to Junos OS Release 12.1X46-D10, the SRX Series devices did not decode SCTP

source and destination ports for IPv6 traffic but instead used a preset port 1 to create

flow sessions. These preset ports did not match corresponding security policies and

caused the system to drop SCTP IPv6 traffic.

Starting in Junos OS Release 12.1X47-D10, the actual SCTP source and destination

ports (instead of the preset port 1) will be used to create flow sessions for the SCTP

IPv6 traffic.

Intrusion Detection Prevention (IDP)

New sensor configuration options have been added to log run conditions as IDP session

capacity and memory limits are approached, and to analyze traffic dropped by IDP and

application identification due to exceeding these limitations.

• drop-if-no-policy-loaded—At start up, traffic is ignored by IDP by default if the IDP policy

is not yet loaded. The drop-if-no-policy-loaded option changes this behavior so that

all sessions are dropped before the IDP policy is loaded.

• drop-on-failover—By default, IDP ignores failover sessions in an SRX chassis cluster

deployment. The drop-on-failover option changes this behavior and automatically

drops sessions that are in the process of being inspected on the primary node when a

failover to the secondary node occurs.

• drop-on-limit—By default, sessions are not dropped if the IDP session limit or resource

limits are exceeded. In this case, IDP and other sessions are dropped only when the

device’s session capacity or resources are depleted. The drop-on-limit option changes

this behavior and drops sessions when resource limits are exceeded.

• max-sessions-offset—Themax-sessions-offset option sets an offset for the maximum

IDP session limit. When the number of IDP sessions exceeds the maximum session

limit, a warning is logged that conditions exist where IDP sessions could be dropped.

When the number of IDP sessions drops below the maximum IDP session limit minus

the offset value, a message is logged that conditions have returned to normal.



• min-objcache-limit-lt—The min-objcache-limit-lt option sets a lower threshold for

available cache memory. The threshold value is expressed as a percentage of available

IDP cache memory. If the available cache memory drops below the lower threshold

level, a message is logged stating that conditions exist where IDP sessions could be

dropped because of memory allocation failures.

• min-objcache-limit-ut—The min-objcache-limit-ut option sets an upper threshold for

available cache memory. The threshold value is expressed as a percentage of available

IDP cache memory. If available IDP cache memory returns to the upper threshold level,

a message is logged stating that available cache memory has returned to normal. For

example, the following message shows that the available IDP cache memory has

increased above the upper threshold and that it is now performing normally:

• On all SRX Series devices with a single session, when IDP is activated, the upload and

download speeds are slow when compared to the firewall performance numbers.

To overcome this issue, a new CLI command set security idp sensor-configuration ips

session-pkt-depth is introduced and this session-pkt-depth sensor-configuration is

global for any session.

The session-pkt-depth sensor-configuration CLI value specifies the number of packets

in a session the IDP inspection happens, beyond this value the IDP will not be inspecting

the packets in that session. For example, when the session-pkt-depth

sensor-configuration CLI value is configured as “n”, the IDP inspection happens only

for first (n-1) packets in that session. From the nth packet, the session is ignored by

IDP. The default value of session-pkt-depth sensor-configuration is “0” and when the

value is “0” the session-pkt-depth is not mentioned, and the IDP performs a full

inspection of the session.



Network Time Protocol

• On all SRX Series devices, when the NTP client or server is enabled in the edit system

ntp hierarchy, the REQ_MON_GETLIST and REQ_MON_GETLIST_1 control messages

supported by the monlist feature within the NTP might allow remote attackers, causing

a denial of service. To identify the attack, apply a firewall filter and configure the router's

loopback address to allow only trusted addresses and networks.

Security

• Starting in Junos OS Release 12.1X47-D10, on all branch SRX Series devices, the Routing

Engine memory is decreased to 960 MB when an advanced service such as

next-generation application identification, IDP, or UTM is enabled on the device.

VPNs

• AutoVPN multicast deprecated—Support for multicast traffic in an AutoVPN

hub-and-spoke network is deprecated and will be removed in a future release.

AutoVPN hubs are supported on SRX240, SRX550, SRX650, SRX1400, SRX3400,

SRX5600, and SRX5800 devices. AutoVPN spokes are supported on SRX100, SRX210,

SRX220, SRX240, SRX550, SRX650, and SRX1400 devices.


New and Changed Features on page 4•








Known Behavior

This section contains the known behaviors, system maximums, and limitations in hardware

and software in Junos OS Release 12.1X47-D10.


• In Junos OS Release 12.1X47-D10 with application identification enabled, an impact on

the application traffic throughput is observed compared to Junos OS Release 12.1X46

or earlier releases under the following scenarios:

• Application system cache is disabled

• Average session data length is very small (less than 44 KB)

• Specific application traffic distributed extensively across non-standard random ports

• Certain application traffic generator profiles are used (not in typical real-world

deployments)

You can use the new performance mode CLI command for improving application traffic

throughput by configuring the enable-performance-mode parameter.

• Use the set services application-identification enable-performance-mode command

to set the deep packet inspection (DPI) in performance mode with default packet

inspection limit as two packets, including both client-to-server and server-to-client

directions.

• Use the set services application-identification enable-performance-mode

max-packet-threshold value command to set the maximum packet threshold for DPI

performance mode based on your input, including both client-to-server and

server-to-client directions. Packet inspection limit can be changed with this CLI

command. Range for the max-packet-threshold value is 1 through 100.

• Use thedeleteservicesapplication-identificationenable-performance-modecommand

to switch DPI to default accuracy mode and disable the performance mode.

NOTE: By default, DPI performancemode is not enabled on the SRXSeries device.

Use the show services application-identification status command to display detailed

information about application identification status.

In the following sample, the DPI Performance mode field displays whether the DPI

performance mode is enabled or not. This field is displayed in the CLI command output

only if the performance mode is enabled.

pic: 2/1

Application IdentificationStatus EnabledSessions under app detection 0Engine Version 4.18.2-24.006 (build date Jul 30 2014)Max TCP session packet memory 30000


Known Behavior

Force packet plugin DisabledForce stream plugin DisabledDPI Performance mode: Enabled Statistics collection interval 1 (in minutes)

Application System CacheStatus EnabledNegative cache status DisabledMax Number of entries in cache 262144Cache timeout 3600 (in seconds)

Protocol BundleDownload Server https://services.netscreen.com/cgi-bin/index.cgiAutoUpdate DisabledSlot 1:Application package version 2399Status ActiveVersion 1.40.0-26.006 (build date May 1 2014)Sessions 0Slot 2Application package version 0Status FreeVersionSessions 0

• On all SRX Series devices, in next-generation application identification, the CLI

statements and commands listed in Table 3 on page 20 are deprecated—rather than

immediately removed—to provide backward compatibility and a chance to bring your

configuration into compliance with the new configuration.

Table 3: Items Deprecated in Junos OS Release 12.1X47-D10

Additional InformationHierarchyStatement

Configure a custom nestedapplication definition that will beused by the system to identify thenested application as it passesthrough the device.

[edit servicesapplication-identification]

nested-application

Configure nested applicationoptions for applicationidentification services.


nested-application-settings

Enable encryption and P2Pdetection.


enable-heuristics

Configure the maximum numberof bytes to be applied with theapplication signatures.


max-checked-bytes



Table 3: Items Deprecated in Junos OS Release 12.1X47-D10 (continued)


Specify the nested applicationname during configuration ofcustom attack objects to detectknown or unknown attacks.

NOTE: All nested applications thatused to be listed under thisstatement are now listed underapplication application-namestatement at [edit security idpcustom-attack attack-nameattack-type signature/chainprotocol-binding] hierarchies.

[edit security idpcustom-attackattack-name attack-typesignature protocol-binding]

[edit security idpcustom-attackattack-name attack-typechain protocol-binding]

nested-application

Enable the nested applicationdynamic lookup to match theapplication firewall with anapplication rule during applicationfirewall policy lookup, if there is noexplicit rule for nested application.

[securityapplication-firewall]

nested-application

Specify the maximum number ofsessions application identificationmaintains. If the value reaches themaximum, all new sessions aredropped


max-sessions

Copy a predefined applicationsignature from the database to theconfiguration and change thename.

NArequest servicesapplication-identificationapplication copypredefined-application-name

Display application identificationcounters for SSL-encrypted traffic.

NAshow servicesapplication-identificationcounterssl-encrypted-sessions

• On all SRX Series devices, custom application signatures are not supported with this

version of application identification.

As a part of this change, the CLI statements used for configuring custom applications

as listed in Table 4 on page 21 are not supported in this release.

Table 4: Statements Not Supported in Junos OS Release 12.1X47-D10


Configure a custom application definition forthe desired application name that will be usedby the system to identify the application as itpasses through the device.


application


Known Behavior

Table 4: Statements Not Supported in Junos OS Release12.1X47-D10 (continued)


Specify any number of associated predefinedapplications, user-defined applications, andother groups for ease of use in configuringapplication-based policies.


application-group

• On all SRX Series devices, application-level distributed denial of service is being

deprecated in Junos OS Release 12.1X47-D10. As a part of this change, the CLI

statements and commands listed in Table 5 on page 22 are deprecated—rather than

immediately removed—to provide backward compatibility and a chance to bring your

configuration into compliance with the new configuration.

Table 5: Items Deprecated in Junos OS Release 12.1X47-D10


Configure application-level distributeddenial-of-service (DDoS) protection.

[edit security idp]application-ddos

Configure the rulebase parameters forapplication-level DDoS attacks.

[edit security idpidp-policypolicy-name]

rulebase-ddos

Enables application-level DDoS statisticscollection.

[edit security idpsensor-configuration]

application-ddos

Clear application-level distributeddenial-of-service (DDoS) state includingcontext, context value, and clientclassification.

–clear security idpapplication-ddos cache

Display basic statistics for the servers beingprotected by the IDP application-levelDDoS feature.

–show security idpapplication-ddosapplication

Display the status of all IDPapplication-DDoS counter values.

–show security idp countersapplication-ddos

Clear the status of all IDPapplication-DDoS counter values.

–clear security idp countersapplication-ddos

We strongly recommend that you phase out deprecated items and replace them with

supported alternatives.

• On all high-end SRX Series devices, application-level distributed denial-of-service

(application-level DDoS) detection does not work if two rules with different

application-level DDoS applications process traffic going to a single destination

application server. When setting up application-level DDoS rules, make sure that you

do not configure rulebase-ddos rules that have two different application-ddos objects



when the traffic destined to one application server can process more than one rule.

Essentially, for each protected application server, you have to configure the

application-level DDoS rules so that traffic destined for one protected server processes

only one application-level DDoS rule.

NOTE: Application-level DDoS rules are terminal, whichmeans that oncetraffic is processed by one rule, it will not be processed by other rules.

The following configuration options can be committed, but they will not work properly:

ApplicationServerapplication-ddosservicedestination-ipdestination-zonesource-zone

1.1.1.1:80http-appddos1httpanydst-1source-zone-1

1.1.1.1:80http-appddos2httpanydst-1source-zone-2

• On all high-end SRX Series devices, application-level DDoS rule base (rulebase-ddos)

does not support port mapping. If you configure an application other than default, and

if the application is from either predefined Junos OS applications or a custom application

that maps an application service to a nonstandard port, application-level DDoS

detection will not work.

When you configure the application setting as default, IDP uses application identification

to detect applications running on standard and nonstandard ports; thus, the

application-level DDoS detection would work properly.

CLI and J-Web

• In CLI and J-Web, the number of users allowed to access the device is limited as follows:

SRX650SRX550SRX240SRX220SRX210SRX110SXR100Devices

111169466CLI Users

5555333J-Web Users


• On all SRX Series devices, DHCPv4 is supported only in Layer 3 mode; the DHCP server

and DHCP client are not supported in Layer 2 transparent mode.

• On all SRX Series devices, DHCPv6 client authentication is not supported.

• On all SRX Series devices, logical systems and routing instances are not supported for

DHCP client in chassis cluster mode.


Known Behavior


• On all branch SRX Series devices, GRE fragmentation is not supported in packet-based

mode.


• On all high-end SRX Series devices, only a unified ISSU to an immediate Junos OS

release is supported. For example, Unified ISSU from Junos OS release 12.1X44 to Junos

OS release 12.1X45 is supported.

Hardware

• SRX5800 devices does not support a redundant SCB card (third SCB) if an SRX5k

SPC II (FRU model number: SRX5K-SPC-4-15-320) is installed on the device. If you

have installed an SRX5K SPC II on an SRX5800 device with a redundant SCB card,

make sure to remove the redundant SCB card.

• On SRX100, SRX110, SRX210, and SRX220 devices, DRAM memory is not supported.

However, chassis cluster is supported when two devices have the same 1 GB or 2 GB

of memory.

• On SRX5400, SRX5600, and SRX5800 devices, Services offloading is not supported

on Modular Port Concentrator (SRX5K-MPCs)/Modular Interface Cards (MICs).


• On all branch SRX Series devices, the CLNS routing is not supported on aggregated

Ethernet interfaces.

Integrated User Firewall

• On SRX Series devices, Integrated User Firewall has the following limitations:

• IPv6 addresses are not supported.

• Logical systems are not supported.



• The WMIC does not support multiple users logged onto the same PC.

• Domain controllers and domain PCs must be running Windows OS. The minimum

support for a windows client is Windows XP. The minimum support for a server is

Windows server 2003.

Intrusion Detection and Prevention (IDP)

• On all high-end SRX Series devices, in sniffer mode, ingress and egress interfaces work

with flow showing both source and destination interfaces as the egress interface.

As a workaround, in sniffer mode, use the tagged interfaces. Hence, the same interface

names are displayed in the logs. For example, ge-0/0/2.0 as ingress interface (sniff)

and ge-0/0/2.100 as egress interface are displayed in the logs to show the source

interface as ge-0/0/2.100.

set interfaces ge-0/0/2 promiscuous-mode

set interfaces ge-0/0/2 vlan-tagging

set interfaces ge-0/0/2 unit 0 vlan-id 0

set interfaces ge-0/0/2 unit 100 vlan-id 100

NOTE: OnallbranchSRXSeriesdevices, thesniffermode isnotsupported.


Known Behavior

IP Monitoring

• On SRX5400, SRX5600, and SRX5800 devices, in each PIC on the 40x1GE IOC cards

only 2 of the 10 ports can be enabled with IP monitoring on both the primary and

secondary sides. If more than two ports on the same PIC are enabled with IP monitoring,

the behavior of IP monitoring through reth or RLAG on the secondary side might be

abnormal.

• On SRX5400, SRX5600, and SRX5800 devices, the maximum number of IP addresses

that can be configured for monitoring is limited to 64.

• On SRX1400, SRX3400, and SRX3600 devices, the maximum number of IP addresses

that can be configured for monitoring is limited to 32.

• On all high-end SRX Series devices, the default configuration and minimum interval

of IP monitoring is 1 second, and the maximum interval is 30 seconds.

• On all high-end SRX Series devices, the default and minimum threshold of IP monitoring

is 5, and the maximum threshold is 15.

• When IP monitoring is enabled on a different subnet than the reth IP address, then you

must configure the proxy-arp unrestricted option on the upstream router.


• On high-end SRX Series devices, the number of IP addresses for NAT with port

translation has been increased to 1M addresses.

The SRX5000 line, however, supports a maximum of 384M translation ports and

cannot be increased. To use 1M IP addresses, you must confirm that the port number

is less than 384. The following CLI commands enable you to configure the twin port

range and limit the twin port number:

• set security nat source pool-default-twin-port-range <low> to <high>



• set security nat source pool sp1 port range twin-port <low> to <high>

TCP-Based DNS

• On all SRX Series devices, the Routing Engine policy supports a maximum of 1024 IPv4

address prefixes and 256 IPv6 address prefixes that can be sent to the Packet

Forwarding Engine. If the maximum number of IPv4 or IPv6 address prefixes exceeds

the limits, the addresses over the limitations will not be sent to the Packet Forwarding

Engine and a system log message is generated. The maximum number of addresses

in a TCP DNS response is 4094 for IPv4 addresses and 2340 for IPv6 addresses, but

only 1024 IPv4 addresses and 256 IPv6 addresses are loaded to the Packet Forwarding

Engine.

Upgrade and Downgrade

• On the SRX240B2 and SRX240H2 models, when you try to upgrade from Junos OS

Release 11.4 to Junos OS Release 12.1X44, 12.1X45, 12.1X46, or 12.1X47, the upgrade fails

when attempting to validate the configuration. To resolve this, use the no-validate

option.



• Changes in Behavior and Syntax on page 15






Known Behavior

Known Issues

This section lists the known issues in hardware and software in Junos OS Release

12.1X47-D10.

For the most complete and latest information about known Junos OS defects, use the

Juniper Networks online Junos Problem Report Search application.


• On all SRX Series devices, when you upgrade from any Junos OS release to Junos OS

Release 12.1X47-D10 with custom IDP attacks using custom nested applications, mgd

commit fails.

As a workaround, before you perform any upgrade, deactivate any custom IDP attacks.

PR999282

• On all SRX Series devices, when you upgrade Junos OS Release from 12.1X46-D10 to

12.1X47-D10, the appcache and session state synchronization is not supported because

of incompatible changes in the AppID engine. PR986569

Chassis Cluster

• On SRX1400 devices in a chassis cluster, after you commit a configuration, the LED

changes from green state to off. PR749672

• On SRX Series devices in a chassis cluster in Z mode, traffic rate-limited shows a

deviation in the traffic forwarding rate. PR779368

• On all high-end SRX Series devices in a chassis cluster, some persistent NAT table

entries cannot be removed on the SPU when the device is under heavy traffic with

multiple failovers. PR834823

• On all SRX Series devices, when Layer 2 bridging is configured, both the nodes must

be rebooted. After you reboot the primary node, the secondary node goes into a disabled

state because of a fabric link failure.

As a workaround, reboot both the nodes (including the one running as primary).

Rebooting only the disabled node does not resolve the issue. PR892374

• The secondary node in a chassis cluster environment might crash or go into DB mode

because of panic: rnh_index_alloc after frequent failover when IPsec VPN is enabled.

PR917719

• On SRX5600 and SRX5800 devices in a chassis cluster, when you run the telnet

program on either the primary or secondary Routing Engine connecting to SPUs on the

Packet Forwarding Engine side, the connection gets stuck because an incorrect source

IP is used by the telnet program in the multichassis environment.

As a workaround, when the connection gets stuck, specify the local chassis IP by using

-s parameter as its source IP for the telnet program to connect to SPUs. PR923782

• On SRX Series devices in a chassis cluster, the PIC might go offline on one of the nodes

due to RG0 failover caused by rebooting the device. PR933248



http://prsearch.juniper.net

http://prsearch.juniper.net/PR999282










• On all SRX Series devices, when the device acts as a DHCP client and if it receives a

DHCP offer containing a large lease value (for example, the lease value is greater than

or equal to 230,000,000 seconds) from a DHCP server, the DHCP process on the

device crashes. The DHCP client interface acquires an IP address, but the routes will

not be through DHCP. PR899941

• On all high-end SRX Series devices, the sub object identifier (OID) values displayed

under jnxJdhcpLocalServerBindings are incorrect. PR946036

• On all high-end SRX Series devices, after you delete the DHCP server binding, the IP

addresses assigned to the ARP and host route still exist in the device. PR947601

• On all high-end SRX Series devices, the DHCP serveroption-82does not work.PR949717

• On all high-end SRX Series devices, the DHCP server SNMP information cannot be

displayed in the logical system. PR956597

• On all high-end SRX Series devices, the DHCP relay does not work when you configure

the DHCP relay point to the local server cross-routing instance. PR964710

• On SRX1400, SRX3400, and SRX3600 devices, the DHCP client might not get an IP

address after you reboot the system. This is because the Routine Engine cannot get

an “all card ready event” notification.

As a workaround, configure a dhcp-client retransmit-attempt or a

dhcp-retransmit-intervaloption with a large value, or send a DHCP client renew request.

PR972984

• On SRX3600 devices running DHCP client service, when you restart the DHCP service

and clear the DHCP client binding, the default route is not removed immediately after

these actions. However, the default route will be deleted after 15 minutes. PR981194


• On all branch SRX Series devices, when you clear the IPv6 neighbors or reboot the

device, one or two packets are dropped on the first ping. PR479603

• When reverse path forwarding (RPF) is enabled along with RPM, the device changes

to the db prompt and loses the reach ability when you delete some configurations.

PR869528

• On SRX Series devices with 1 GB of memory, if the advanced services license is

configured with the reduce-dp-memory option, memory is not released from the data

plane to the control plane.

As a workaround, when the advanced services license is configured, do not configure

the reduce-dp-memory option. PR895648

• On all SRX Series devices, creating a session for the from-self OSPF or from-self OSPF3

traffic is not possible. If the from-self OSPF or from-self OSPF3 traffic enters the IPsec

tunnel, you cannot perform pre-fragmentation for the traffic, because the traffic

bypasses flow fragmentation process and the jexec cannot support the IPv6

post-fragmentation process. Hence, the packet is dropped by the jexec.


Known Issues












As a workaround, reduce the MTU value of st0. The Routine Engine fragments the

OSPF3 traffic and avoids the egress traffic fragmentation of the tunnel. PR918429

• On all high-end SRX Series devices, when IPsec is enabled, AppQoS does not apply

the rate limiter for egress traffic. PR918942

• On all high-end SRX Series devices, the Layer 3 and Layer 4 signatures (IPP and ICMP)

are not supported. PR986058

• On all high-end SRX Series devices, when you use multicast and there are more than

600 copies of a multicast packet for a multicast group, a flowd core file is generated

when you commit the configuration. PR986592

• In Junos OS Release 12.1X47-D10, memory-allocated failure causes the NAT module

to generate a core file under the following conditions:

• SPC

• Combo mode (cp-flow)

• UTM memory and IDP sessions are enabled using the following commands:

• set security forwarding-process application-services enable-utm-memory

• set security forwarding-processapplication-servicesmaximize-idp-sessionsweight

idp

• setsecurityforwarding-processapplication-servicesmaximize-idp-sessions inline-tap

As a workaround, do any one of the following:

• On SRX Series devices with a combo-mode SPU, do not enable UTM memory and

IDP sessions at the same time using the following commands:

• set security forwarding-process application-services enable-utm-memory

• set security forwarding-processapplication-servicesmaximize-idp-sessionsweight

idp

• setsecurityforwarding-processapplication-servicesmaximize-idp-sessions inline-tap

• You can prevent the SPU from running in combo mode by inserting the

next-generation SPU before you insert the combo-mode SPU or replace the

combo-mode SPU with the next-generation SPU.

PR1019568


• On all high-end SRX Series devices, when both the Gn and Gp interface pass through

an SRX Series device, and the Gn interface is NAT-enabled, the restart counter only

takes effect on the Gn interface. PR893379

• On all high-end SRX Series devices, the SCTP association count is not equal to chassis

cluster nodes after you create and clear SCTP associations. PR968581

• On all high-end SRX Series devices, the SCTP multichunk inspection association is lost

after you perform ISSU from Junos OS Release 12.1X45-D10 to 12.1X47-D10. PR971569











Interfaces and Routing

• On all SRX Series devices, in the SNMP jnxJdhcpRelayBindings table, the oid value for

the IP address and time have format errors. Hence, the oid value for the interface is

lost. PR908619

• SFP interfaces ge-0/0/7, ge-0/0/8, and ge-0/0/9 on the 1-Gigabit Ethernet SYSIO

card autonegotiate to 10 gigabits per second when the port status is down. PR946581

• On all high-end SRX Series devices, the interfacemonitoring option causes an

unexpected RG0 failover during the system reboot. This is because the interface

monitoring option is only applicable to the data-plane interface and it should not be

associated with the RG0, which represents control-plane redundancy. Enabling the

interfacemonitoring option under the RG0 is not supported on high-end SRX Series

devices.

As a workaround, disable the interfacemonitoring option under the RG0. PR970023


• On the B and H models of SRX100, SRX210, and SRX240 devices with 1 GB of RAM,

the predefined IPS templates other than the recommended template might not compile

successfully because of low memory. PR925337

• On SRX210 and SRX220 devices, due to memory constraints, the combination of large

IDP policies (that is, IDP_Default) along with express antivirus (EAV) might not compile

successfully. PR970170


• On all SRX Series devices, when you run the show security nat source port-block

command in a chassis cluster with detail node id, the Port_Block Range,

Ports_Used/Ports_Total and Block_State/Left_Times(s) lists will have random wrong

information at the first line. This is an output issue and does not impact any feature.

PR957371

• On all high-end SRX Series devices, the PBA blocks and the deterministic table counters

might not been synched on the chassis cluster device.

For PBA NAT pool, the PBA blocks are not synced with the secondary device for the

conflict NAT resource because the master NAT port resource reuse is too fast.

For the deterministic NAT pool, the counters of Ports_Used in the deterministic table

are not synched with the secondary device for the conflict NAT resource because the

master NAT port reuse is too fast.

When both the NAT resource and the destination IP address conflict at the same time,

the session wing1 might conflict. PR965193

• On all high-end SRX Series devices, when you add a /96 IPv6 address to the host

address of the deterministic NAT pool, a nsd core file is generated when you commit

the configuration. PR985511


Known Issues









Platform and Infrastructure

• On all high-end SRX Series devices, when you try to reload a kernel module that is

already linked to the kernel, an error message is displayed because the module is

already present. No functionality is impacted by the error message. PR817861

• On all SRX Series devices, when you upgrade a Junos OS release from one version to

another, some error messages will be sent out. These messages are harmless warning

messages that are generated during image checking and do not affect the ISSU.

PR926661

• If a large number of IPv6 addresses are configured on a single interface (or on a large

number of logical interfaces), the kernel might be very busy when the interface is

enabled or disabled. Key kernel modules, like TNP/RDP, cannot be scheduled in time

under such situations.

As a workaround, disable Duplicate Address Detection on the interface. PR929300

• On SRX1400 devices, when you enable the rpf-check option, the vmcore process

crashes when you commit the configuration and the RG0 failover time. The vmcore

process crashes on both the nodes in a chassis cluster during the RG0 failover time.

PR948279

• On SRX240B2 and SRX240H2 devices, when you try to upgrade the device from Junos

OS Release 11.4 to Junos OS Release 12.1X44, 12.1X45, 12.1X46, or 12.1X47, the upgrade

fails when attempting to validate the configuration.

As a workaround, use the no-validate option to bypass the validation. PR958421

• On all high-end SRX Series devices, during the ISSU process, the Packet Forwarding

Engine connects and sometimes disconnects the Routine Engine. Hence, the IP resolve

events sent to the Packet Forwarding Engine are ignored. When you configure multiple

DNS policies after the ISSU process, some of the policies will not have IP addresses in

the Packet Forwarding Engine.

As a workaround, use the request security policies resync command. PR985731









Screens

• On SRX5600 devices, when you configure IP spoofing in Layer 2 mode, before defining

the IP spoofing and the address books for specific zones, if the delete security or delete

security zone/screen/address-book commands are executed and the configuration is

not committed, the addresses in the Packet Forwarding Engine might be incorrect. Due

to this issue, the IP spoofing might not work.

As a workaround, after executing the delete security or delete security

zone/screen/address-book command, commit the configuration before you continue

the IP spoofing configuration. Or, if the IP addresses in the Packet Forwarding Engine

are not correct, restart nsd from the CLI using the restart network-security immediately

command. PR943232

VPN

• On all high-end SRX Series devices, IPsec replay errors might be observed after RG1

failovers. PR832834

• On all high-end SRX Series devices, in an AutoVPN deployment, when the multicast

traffic sender is located behind a spoke, the multicast traffic might drop for up to 6

minutes during ISSU in the hub. The recommended AutoVPN multicast topology is to

locate the multicast source behind a hub. When you locate the multicast source behind

a spoke and if the hub is in chassis cluster mode, use the following commands to

minimize the traffic drop during ISSU in the hub:

set chassis redundancy graceful-switchover

set routing-options graceful-restart

set protocols bgp graceful-restart restart-time 600

set protocols bgp graceful-restart stale-routes-time 600

set protocols pim graceful-restart restart-duration

PR946951









Known Issues




Resolved Issues

This section lists the issues fixed in the Junos OS main release and the maintenance

releases.

For the most complete and latest information about known Junos OS defects, use the

Juniper Networks online Junos Problem Report Search application.

Application Layer Gateways (ALGs)

• On SRX Series devices with the VoIP-related ALG (either H.323 or SIP) and NAT enabled

for the VoIP traffic, the corresponding ALG creates persistent-nat-binding entries for

the reverse VoIP traffic (even though the persistent NAT feature is not configured in

the source NAT rule) when VoIP traffic is transmitted into a custom routing instance.

Hence, the system does not apply the custom routing instance information to the

persistent-nat-binding entries, and the reverse traffic that matches the

persistent-nat-binding entries is forwarded to the default routing instance instead of

to the custom routing instance. The reverse traffic is dropped or forwarded to the wrong

place. PR924553

• On all SRX Series devices, the REAL ALG is not supported, but you can configure it from

both the CLI and J-Web. PR943123

• On all SRX Series devices with the SCCP ALG enabled, the SCCP ALG drops packets

with unknown message identification. In a NAT scenario, the SCCP ALG performs NAT

for different SCCP messages with different NAT results, and data traffic is dropped.

PR952180

• On all SRX Series devices, a flowd core file is generated because of a malformed SIP

packet. PR956157

• On all SRX Series devices, the Microsoft Active directory or Microsoft Outlook client

might get disconnected from the server because the MS-RPC ALG incorrectly drops

the data connections under heavy load. PR958625

• On all SRX Series devices, when the ALG receives IPv6 payload information for

processing and if the IPv6 flow mode is not enabled on the device, the flowd process

might crash. PR964817

• On all SRX Series devices, when RTSP ALG traffic passes through the routing-instance

type virtual-router, traffic is dropped. PR979899

Authentication and Access Control

• On all SRX Series devices, when Web authentication is enabled using the SecurID

authentication, it will fail if there is a change in the DNS server configuration. The authd

process causes the old DNS server to send the DNS request. PR885810

• On SRX Series (except the SRX110) devices in a chassis cluster working as a Unified

Access Control (UAC) enforcer, when RG0 failover occurs, the Packet Forwarding

Engine might connect to the uac process before the uac process connects to the UAC

server. In this condition, the uac process conveys to the Packet Forwarding Engine that












the UAC server is disconnected. When the Packet Forwarding Engine receives this

information, it denies new traffic that matches the UAC policies. The traffic is resumed

after the connection of the uac process and UAC server is established. PR946655

• On all SRX Series devices, the application firewall module might cause the Network

Security Daemon (NSD) to create up to 4 KB of memory leak when you commit each

configuration. PR969107

Chassis Cluster

• On all SRX Series devices in a chassis cluster, the dcd process causes memory leak on

the Routing Engine when you configure a reth interface (that is, activate, deactivate,

delete, or add a reth interface). PR893759

• On all SRX Series devices in a chassis cluster, when you download the IDP signature

database from the primary node, it is not synchronized to the secondary node.PR914987

• On all high-end SRX Series devices in a chassis cluster, in certain IPv6 configurations,

the SPU sends out packets with an invalid header on the secondary node, which in turn

triggers a hardware monitoring failure on the secondary node. PR935874

• On all branch SRX Series devices in a chassis cluster, an identical address found on

both private and public interfaces, and a kernel panic occurs after RG0 failover.

PR937438

• On all SRX Series devices (except the SRX110) in a chassis cluster, in certain conditions,

the chassis cluster fabric link hello packet might be corrupted, causing the flowd process

to crash. PR939828

• Due to logic problems with the next-generation SPC nvram component, sometimes

the central Packet Forwarding Engine processor tries to yield a thread during an

interrupt-disable scenario. This operation causes the central Packet Forwarding Engine

processor to hang, and the flexible PIC concentrator is marked as offline. As a result,

the chassisd detects the flexible PIC concentrator as being down and resets all flexible

PIC concentrators, causing failover in chassis clusters. PR940392

• On all branch SRX Series devices, the counter for incoming traffic on a fabric interface

(used for chassis cluster) always shows zero (0). PR949962

• In Junos OS Release 12.1X46-D10 and earlier, in a chassis cluster environment, when a

secondary node failed, no notification was sent to report the secondary node failure.

Starting in Junos OS Release 12.1X47-D10, in a chassis cluster mode, the primary node

sends the SNMP generic event trap to report failures on the primary node and the

secondary node. PR953639

• On all SRX Series devices (except the SRX110) in an asymmetric chassis cluster scenario,

the secondary node (for example, node 1) uses a local interface to back up the interface

in the primary node (for example, node 0). If there is a route change, then the traffic is

sent to the egress from the backup interface, which is the local interface of node 1.

After the route resumes, the traffic is sent back to the egress from the primary interface,

which is the local interface of node 0. The session related to the route change is in

active state on both the nodes. Traffic might be interrupted when the session times

out on the backup node and the session on the primary node is deleted. PR951607


Resolved Issues












• On all branch SRX Series devices, the G-ARP replies do not update the existing MAC

address entry. When the MAC address timer expires, a new MAC address is updated.

PR953879

• On all SRX Series devices (excluding SRX110 devices) in a chassis cluster, when the

secondary node becomes ineligible due to control link failure and it might still forward

the traffic. This causes the reth interface to flap and the related traffic to drop when

the secondary node is in ineligible state. PR959280

• On SRX5400, SRX5600, and SRX5800 devices in a chassis cluster, when you disable

LACP on a reth interface, the related route's next hop remains in the hold state.

PR960994

• On all SRX Series devices (excluding SRX110 devices) in a chassis cluster, after the

primary node power cycle, the Flexible PIC Concentrators (FPCs) on both the nodes

might lose the connection to the new primary Routing Engine, causing the FPCs on

both the nodes to get stuck in present state. PR961351

• On SRX3600 devices, the fabric-link becomes down when you execute manual failover

using the request chassis cluster failover redundancy-group 0 node 0 command.

PR965077


• SRX100 devices send the same DHCP packets twice, but the SRX220 devices send

the DHCP packets only once. PR894760

• On all SRX Series devices, you cannot get the DHCP relay information through SNMP

if DHCP relay is configured under the logical system. For example,bash-3.2#snmpwalk

-c lsys1/default@junos-t5 -v 1 -Os-Oq-Oe-Pu-m/tmp/jnx-smi.mib:/tmp/jnx-jdhcp.mib

10.208.131.136 jnxJdhcpRelayStatistics bash-3.2#. PR909906

• On all SRX Series devices, in the DHCPv6 client command description, the word stateful

was misspelled as statefull. It is changed to stateful in the description; however, the

keyword is retained as statefull to avoid incompatibility. PR924692

• On all high-end SRX Series devices, after you configure DHCPv6 in IPv6 mode, the

dhcpv6 process crashes. PR940078

• On all high-end SRX Series devices, DHCPv6 does not work in IPv6 mode. PR942246

• On all high-end SRX Series devices, the DHCP server on the device gives the same IP

address to two different hosts and both hosts are active in the MAC binding table,

causing a connectivity issue. This issue might occur if the DHCP server receives a DHCP

INFORM packet from a binding client and a DHCP RELEASE packet from the same

client. PR969929


• On SRX220H2 devices, the TCP connection rate might drop by 15 percent. PR898217

• On SRX100H2 devices, the device reboots unexpectedly and multiple core files are

generated due to a DDR2 memory timing issue between DRAM and the CPU. The

symptoms include flowd core files, core files from other processes (for example, snmpd,















ntpd, and rtlogd), and silent reboot without core files and system freeze. These core

files are related to RAM access (for example, pointer corruption in session ager ring

entry), and there are no consistent circumstances that cause these core files to be

generated. PR923364

• On all SRX Series devices, when you run the clear security flow session command with

a prefix or port filter, some of the sessions are not matched with the filter, causing a

traffic drop or delay. This issue is triggered by any of the filters. PR925369

• On all branch SRX Series devices, in some cases, the ARP response is not accepted

when the frame size is above the common value (for example, when the frame was

padded by intermediate Layer 2 devices). PR927387

• On all SRX Series devices configured with IDP, for the AppSecure, ALG, GTP, or SCTP

features that require serialization flow processing, the memory buffer might leak,

causing the flowd process to crash. PR930728

• On all SRX Series devices, when loading a configuration in private mode, the annotated

message statement is truncated to 1024 characters. PR930834

• On all SRX Series devices, if GRE tunnel configuration is committed without a correct

route to the tunnel destination, the GRE tunnel session will bind the wrong anchor

interface (the GRE tunnel outgoing interface) by route lookup. This anchor interface

will not be updated even after the route is corrected when you commit the subsequent


• On all SRX Series devices, the indirect next hop for ECMP is not supported. PR935867

• On all SRX Series devices (except the SRX110) configured in a chassis cluster, under

certain conditions, the flowd process might crash during the cold synchronization

process. PR936014

• On all high-end SRX Series devices, in certain circumstances, high CPU consumption

on the data plane and eventual exhaustion of the internal system buffers might corrupt

the forwarding table, causing partial traffic drops. PR938742

• On all SRX Series devices, when IKE packets are received before Junos OS default

applications are pushed to the Packet Forwarding Engine, the IKE sessions will be

established without the IKE application having been marked. As a result, the fragmented

IKE packet cannot be sent to iked, because the IKE session has not used IKE

applications. PR942730

• On all SRX Series devices, if the first packets of a single session come from both

directions at the same time, the application information on the session is corrupted

during session installation and the flowd process crashes. PR942877

• On all SRX Series devices, when the device is in packet mode, after you change an

interface configuration, the warning message warning: You have changed inet flow

mode; Youmust reboot the system for your change to take effect is displayed. The same

message is displayed on every commit until the next reboot. This message can be

safely ignored. PR949472

• On SRX240, SRX550, and SRX650 devices, when the device receives a TCP rest (RST)

and a FIN (the second FIN of the session) at the same time for a session, the RST and

the FIN packet might get processed by different threads. As a result, the session time


Resolved Issues













out updates incorrectly, and the session remains on the session table for 150 seconds.

PR950799

• On all SRX Series devices, the flowd process might crash when the system performs

persistent NAT function for ALG traffic. This is because of lack of memory to allocate

for persistent NAT bindings. PR951011

• On all SRX Series devices, when RG0 failover is triggered, the old RG0 primary device

reboots or both devices reboot. PR953723

• On SRX240, SRX550, and SRX650 devices, in certain situations, flow sessions time

out and get corrupted. This leads to the flow sessions being set to an abnormally high

value, which eventually leads to the session table becoming full. PR955630

• On all high-end SRX Series devices, the flowd process might crash during the session

installation. PR956775

• On all SRX Series devices, SSH connection is not possible between Cisco devices

running IOS version 15 or later and SRX Series devices running Junos OS Release 11.2

or later. PR957483

• On all SRX Series devices, in a site to site VPN scenario, when the device is configured

as an IPsec initiator, the flow session time out is refreshed by the reroute packet. This

causes an old session to remain in the session table, the VPN connection not to recover,

and packet drops to occur. PR959559

• On all branch SRX Series devices, when you configure an ICMP probe-server option

under the [services rpm] hierarchy for a specific interface (for example, ge-0/0/0),

the device does not respond to ICMP requests from this interface. Other interfaces are

not affected and can continue to respond to ICMP requests. PR960932

• On all SRX Series devices, when you reboot the passive node, the CPU usage increases

on flow SPUs of the primary node and this lasts for a few seconds when the traffic

latency is increased. PR962401

• On all SRX Series devices, filter-based forwarding (FBF) rules are ignored when existing

sessions are rerouted. PR962765

• On all branch SRX Series devices with IP spoofing screen enabled, the routing table

search might fail due to the routing table being locked by the system, causing a false

positive to an IP spoofing detection. PR967406

• On all high-end SRX Series devices, when you send SCTP packets to test the capacity,

the SCTP packet might generate a core file. PR968951

• On all SRX Series devices, white spaces are not supported in the PKI certificate name.

PR975374

• On SRX550 devices, the max flow sessions are configured incorrectly. The devices

have larger session capacities than the configured session values. PR977169

• On all branch SRX Series devices, application traffic control rate limiters are

unsupported on model H2. PR979901

• On all SRX Series devices, in rare cases, the device starts using sequential source ports

for source NAT because of random function memory corruption. PR982931




















• On all SRX Series devices, when you send the 4-way handshake control packets to

create associations for the capacity test, a core file is generated. PR980262

Hardware

• On SRX550 and SRX650 devices, the SRX-GP-DUAL/QUAD-T1-E1 GPIM might have

interoperability issues with the remote CSU using the national standard feature due

to the violation of ITU-T recommendation G.704. PR939944

Interfaces and Routing

• The counter for incoming traffic on a fabric interface (used for chassis cluster) always

shows zero (0). PR520962

• On SRX5600 virtual chassis, when you swap the members of a LAG, a vmcore or ksyncd

core file might be generated on the backup Routing Engine. PR711679

• On all SRX Series devices, when you configure and commit IPv6 addresses on a logical

interface, the output of the show interface terse command does not reflect the change

immediately. PR802229

• SRX5800 devices might log the Bottom Fan Tray Unable to Synch message. However,

this message can be ignored. PR833047

• On all branch SRX Series devices with 3G wireless modems, the 3G dialer interface

dl0.0 might get stuck in the down link state. PR855897

• On SRX550 devices, the T3/E3 FPC goes offline after provisioning a switched port on

ge-0/0/0 interface. PR919617

• On SRX Series devices with the 3G USB wireless modem, when the signal is low, the

3G cellular modem interface (cl-0/0/*) displays the status as Connected even though

there is no signal or there is a low signal with no network connection. This is because

there is no mechanism for the wireless WAN process to notify the Routing Engine of

the status change even though the Packet Forwarding Engine is notified. After the

signal recovers, the 3G cellular modem interface is not able to dial again. PR923056

• On all high-end SRX Series devices, the show interfaceextensive command is cut short

with the error message error: route rpf stats get for interface. PR930630

• When IS-IS is configured between the SRX Series device and some third-party devices,

after the SRX Series device is rebooted and the IS-IS adjacency is reestablished, the

routes advertised by the third-party devices might not install into the routing table in

some cases. PR935109

• On SRX550 devices with DS3/E3 interfaces, the external clocking option is disabled

to overcome the limitation present in the hardware to support this clocking option.

With the revised version of hardware, the external clocking limitation has been fixed.

Hence the external clocking option is reenabled. PR936356

• On all SRX Series devices, deactivating static routes can lead to deactivation of other

configuration sections. PR939712


Resolved Issues














• On all SRX Series devices, modifying a policy element that is deactivated by the policy

scheduler leads to problems in searching the policy tree in memory. An incorrect policy

match occurs after the policy is reactivated by the scheduler. PR944215

• On all branch SRX Series devices with interfaces encapsulated with ethernet-ccc,

when you connect to an ae interface with LACP enabled, the LACP packets do not

pass through the ethernet-ccc encapsulated interface. PR945004

• On SRX100B2, SRX100H2, SRX210B, SRX210HE2, SRX210HE2POE, SRX220H2,

SRX220H2POE, SRX240B, SRX240B2, SRX240H2, and SRX240H2POE devices, the

Point-to-Point Protocol over Ethernet (PPPoE) feature session is disconnected or the

connection is not available. PR956307

• On SRX210 and SRX220 devices, certain jumbo frames are dropped even though the

MTU is set correctly. PR963271

• On all SRX Series devices, the clearsecuritydns-cachecommand is extended to resolve

all DNS entries immediately. Similarly, the security policies containing DNS names are

updated immediately to use the refreshed IP addresses after the FQDN addresses are

resolved. PR970235

• On all SRX Series devices, when the proxy-ndp feature is enabled on the interface, the

entries in the IPv6 neighbor table from the interface might flap. PR970281

• On SRX5400, SRX5600, and SRX5800 devices, the counters displayed in the reth

interface are not correct. PR978421


• On SRX Series devices with IDP enabled, high data plane CPU usage occurs in certain

SPUs for a few seconds. PR848485

• On all SRX Series devices, when you disable the option idp policy-optimizer using the

set security idp sensor-configuration no-policy-optimizer command, the policy fails to

load after reboot. PR883258

• On branch SRX Series devices with IDP enabled, when you use the hardware

Deterministic Finite Automation (DFA), which is enabled by default on all devices

except SRX100 and SRX110 in Junos OS Release 11.4, a false positive might occur for

the signature APP:RDP-BRUTE-FORCE. PR911994

• On all SRX Series devices, the new entry or flag representing an alert notification is

seen in the system log message. If the alert is configured in the IDP rules, the flag is set

to “yes”; otherwise, it is set to “no”. PR948401

• On all high-end SRX Series devices, when the LACP mode is fast and the IDP is in

inline-tap mode, a LACP flap might occur when you commit the configuration.

PR960487

• On all SRX Series devices, when you upgrade the detector version, the detector kconst

value becomes the default value. PR971010
















J-Web

• On all SRX Series devices, the httpd process generates a verbose log in the default


• On all SRX Series devices, when you make any changes on the J-Web page and try to

commit or refresh the page, the operation might time out due to two Asynchronous

JavaScript and XML (AJAX) requests being sent out at the same time. The second

AJAX request is sent out when the first AJAX request does not receive a response.

PR935552

• When you change the password minimum-length characters from 6 to 8, J-Web shows

the error message minimum-length is 6. PR942219

• On all SRX Series devices, J-Web does not accept the keyword “any” in the address-book

object name. PR944952

• On all SRX Series devices, session logs generated by the global policies are not displayed

on the Monitor > Events and Alarms > Security events page or in the policy log window

on the Configure > Security > Policy page in J-Web. PR962892

• On all branch SRX Series device, when dynamic VPN is configured, it is not possible to

configure the local-certificate or pki-local-certificate options for Web management. A

commit error is displayed when these options are configured. Only the self-signed

certificate option can be configured. PR969672

• On J-Web, the App-FW page does not show the counter information. PR972473


• On all SRX Series devices, when NAT protocol translation from IPv4 to IPv6 is enabled,

a certain crafted packet might cause the flowd process to hang or crash. A hang or

repeated crash of the flowd process creates an extended denial-of-service condition

for the devices. PR954437

• In Junos OS Release 12.1X46-D10 and earlier, the device could not send the SNMP trap

for the NAT pool with logical systems configured.

Starting with Junos OS Release 12.1X47-D10, the SNMP trap for the NAT pool with

logical systems configuration can be sent from the device. PR959219

• On all high-end SRX Series devices, the source paired address table for the IPv6 PBA

pool is not released on the primary node after the session time out. PR975093


Resolved Issues











Platform and Infrastructure

• On all high-end SRX Series devices, when the management-ethernet link-down ignore

command is configured under the chassis alarm hierarchy, the show chassis alarm

command does not display the fxp0: Ethernet LinkDownalarmmessage. However, the

following messages might been seen in the logs:

craftd[1163]:%DAEMON-3: attempt to delete alarm not in list

alarmd[1162]%DAEMON-4: Alarm cleared: RE color=IGNORE, class=CHASSIS

reason=Host 0 fxp0: Ethernet Link Down

PR749954

• On all SRX Series devices, when you log in to the device, the login process might crash

due to abnormal disconnection behaviors. PR802169

• On SRX240, SRX550, and SRX650 devices, when the device receives out-of-order

packets while transferring large TCP files, the throughput might be heavily impacted.

PR881761

• When GRE is enabled, AppQoS classification, marking, or rate limit does not work for

fragmented packets in the client-to-server direction. PR924932

• On all SRX Series devices, when using JDHCP, the server does not respond to the client

with the DHCPOFFER packet when it receives the DHCPDISCOVER packet from the

client. This causes the authd process to consume a large amount of CPU usage and

increase the /mfs partition storage capacity. PR925111

• On SRX5800 device in a chassis cluster, when the device is connected to the Nexus

switch, control plane failover occurs. This failover causes the LACP timer to change

from slow periodic to fast periodic. PR926019

• On all SRX Series devices, for SCTP IPv6 traffic in traffic logs, all the source and

destination ports are marked as port 1. PR928916

• On SRX1400 devices with a SYSIO-XGE IOC cards, the xe-0/0/9 interface might not

come up when the cable is reconnected after you upgrade to Junos OS Release

12.1X47-D10. PR929276

• On all SRX Series devices, when the Network Security Daemon (NSD) holds a buffer

related to the NAT proxy-arp process, memory leak occurs. This issue occurs when

you commit the configuration. PR931329

• On SRX1400 device, if the port ge-0/0/6 plugged in with a SPF-T (part number

740-013111) transceiver, the port might be set to physically down after upgrading to

Junos OS Release. PR933751

• On SRX1400, SRX3400, and SRX3600 devices configured in a chassis cluster with a

SRX1K3K-NP-2XGE-SFPP card installed, the cold synchronization process might fail

in certain SPC cards with the message No response from peer node after 900 tries.

PR941845














• On all SRX Series devices containing a large number of next-hop entries, and if the

interface flap happens frequently, it might cause the Routing Engine not to allocate

the next-hop index, causing the traffic to drop. PR943388

• On all branch SRX Series devices, because of a timing issue, the VLAN interface might

fail to add security zone information after the RG0 failover. PR944017

• On SRX5400, SRX5600, and SRX5800 devices with a SRX5K-SPC-4-15-320

(next-generation SPC) installed, the hardware interrupt handler checks the link up or

link down status for unused ports in the next-generation SPC internal. The

next-generation SPC might cause the Control Plane Processor (CPP) to hang, causing

all the Flexible PIC Concentrators (FPCs) to reset. PR959655

• On SRX1400, SRX3400, and SRX3600 devices, high traffic on the fxp0 interface

destabilizes the control plane functions. PR962909

Switching

• On SRX210 devices running in packet mode, when DSCP marking (32 - 63) is on and

the destination MAC in the packet header is present in the SRX ARP table, the devices

reply to packets that are not destined to them. On devices in a chassis cluster, you

must ensure that packets not destined to the SRX210 do not reach the device.

PR950486

System Logging

• On SRX3400 and SRX3600 devices, the following system logs are seen in the messages

file:

sfchip_show_rates_pfe: Fchip Plane 0, dpc 0, pfe <1/2/3>: Invalid dpc

These system logs do not affect the device. PR738199

• On SRX5400, SRX5600, and SRX5800 devices, when error-correcting code (ECC)

errors occur on IOC or FIOC cards, it is difficult to identify the issue because the error

is not being loaded in the device. PR900617

• The error OpenSSL: error:14090086:lib(20):func(144):reason(134) means that server

certificate verification has failed. The certificate might be a self-signed certificate or

an expired certificate. PR932274

• On all SRX Series devices, the following error message is displayed on system or event

logs after you upgrade to Junos OS Release 12.1X47-D10: Can't find ifa on e1-x/0/x.y.

This message is harmless and does not affect the E1 interfaces and can be ignored.

PR971503

• The SNMP walk for the jnxPicType2ASPCXLP object might fail and shows the

jnxPicType2ASPCXLP(couldnot resolve 'jnxPicType2ASPCXLP' toanOID)error message

in the logs and fails to receive information from the device. PR974463


Resolved Issues











Unified Threat Management (UTM)

• On all branch SRX Series devices, webpages become unavailable and do not display

any content when you enable Sophos antivirus for HTTP traffic. PR906534

• On all high-end SRX Series devices, EWF logs are not marked with user role information.

PR936799

• On all branch SRX Series devices with the UTM Kaspersky antivirus (KAV) option

enabled, and the intelligent-prescreening option configured, the chunked packet that

only contains chunk-size data without any actual data is recognized as an invalid data

packet, and the packet is dropped before it passes to the KAV engine in the KAV HTTP

proxy processing. PR937539

• On all branch SRX Series devices, when the category action is permit, the result is the

category site-reputation-action, and when the category reputation action is not defined,

then the results are the global site-reputation action and the default action. This

confusion occurs because the explicit permit action is not taken under the specific

category. To resolve this problem, you can directly take the configuration-explicit action

on the category. If you do not configure any action, then the next global site-reputation

action is the result. The category reputation is not used in enhanced Web filtering.

PR939352

• On all high-end SRX Series devices, when you install a license, you might see the

message license not valid for this product add license failed. Even though the message

appears, the feature still functions normally. In addition, the show system license

command does not display the Sophos antivirus, antispam, or Web filtering licenses.

PR948347

• On all branch SRX Series devices, the test security utm anti-virus command for the

antivirus feature does not work due to an Invalid argument error message. PR951124

• On all branch SRX Series devices, when the KAV license expires and a new license is

installed, deleting the old license file causes the KAV engine status to change to Not

Ready. The deleting event triggers an AV license status update. The utmd process

might recognize that the KAV license is not installed and the pattern database is

unloaded. PR954590

• On all SRX Series devices with UTM and Sophos antivirus (SAV) service enabled, if

source NAT for self-generated traffic is configured, the DNS queries from the UTM SAV

service fail as timeouts. PR963978

• On all high-end SRX Series devices, UTM blacklists and whitelists should work without

an EWF license. PR970597

VPNs

• On all SRX Series devices, when IPsec is enabled, AppQoS does not assign egress

traffic to the configured forwarding class. PR753762

• On all SRX Series devices, in a site-to-site IPsec VPN deployments using IKEv2, when

tunnels are removed through configuration change, the information is not propagated













to the remote peer. Later, when the peer initiates a normal Phase-1 re-key process, the

kmd process crashes and core files are generated. PR898198

• On all SRX Series devices, during VPN configuration change with an interface

configuration change at the same commit, or after rebooting the device with VPN and

interface configured together, the tunnel sessions created in flowd are missed. This

impacts the traffic flow on that tunnel. The invalid bind interface counter returns a

nonzero value when you run the show usp ipsec global-stat command. PR928945

• Certificate-based authentication would fail when the RSA signature from the remote

peer used SHA-256 as the message digest algorithm. PR936141

• On all SRX Series devices configured with IPsec VPN and with VPN monitor enabled,

the VPN monitor function triggers socket leak, and it might result in some critical issue,

such as flow SPUs becoming unresponsive. PR940093

• On all SRX Series devices, when IPsec is used in a chassis cluster, after the SPU or

flowd uptime reaches 50 days or more, the amount of RTO traffic on the fabric link

increases. PR941999

• On all SRX Series devices with multiple proxy-identity (MPID), dead routes are seen

while moving the st0 interface from one virtual router to another. PR943577

• On all branch SRX Series devices configured in a chassis cluster with route based IPsec

VPN enabled, during RG0 failover to the new primary node, if a route-based VPN does

not have IPsec SAs associated with the tunnel, then the bind interface (st0) associated

with the tunnel is marked down. The interface remains in down state, causing the VPN

traffic to drop. PR944478

• On all SRX Series devices, after traffic-selector configuration is deleted from the VPN

configuration object, the data traffic stops passing through the tunnel. PR944598

• On SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices, high CPU usage

occurs after installing the additional SPC cards without a full cluster reboot, and IPsec

tunnels carry the SCTP traffic anchored on the device. PR945162

• SRX Series devices cannot proceed to automatic certificate reenrollment through

SCEP. The certificate validity period is incorrectly calculated during the autorenewal

process. Also, when the CRL is downloaded through LDAP, it can be partially received

from the CA server and the pkid process goes up. PR946619

• On all SRX Series devices, when there are more than 100 traffic selectors configured

on a VPN configuration object along with configured, established, tunnels, if all IPsec

SAs for this VPN configuration object are cleared at the same time (because of a

configuration change on a peer or the use of the clear operational command), the

bind-interface associated with that VPN configuration object might be marked as

down. PR947103

• On all SRX Series devices, in a hub-spoke IPsec VPN scenario, when you commit the

static NHTB configuration on the multipoint secure tunnel (st0) interface, the VPN

routes might become active even though the VPN tunnel is down. This issue also occurs

when you reboot the system with static NHTBs and the related static routes are

configured. PR947149


Resolved Issues













• On SRX Series devices configured as a route-based IPsec Dynamic End Point (DEP)

VPN node, the VPN tunnel interface st0.x link incorrectly remains up when IPsec Security

Association (SA) is not established, even though VPN monitoring or establish-tunnels

immediately is configured. PR947552

• On all SRX Series devices, IPsec VPN packets are dropped in a chassis cluster Z mode

when a fragmentation is required. PR956808

• On all SRX Series devices, any configuration changes to the st0.x interface might delete

NHTB entries for unrelated st0 interfaces. PR958190

• On all SRX Series devices, in some situations, if the CRL server is not reachable, a

memory leak might occur and show the kern.maxfiles limit exceeded by uid 0message

in console mode. Hence, the device administrator is not able to log in to the device

anymore. PR959194

• On all SRX Series devices, IPsec VPN tunnels could not come up due to unavailability

of buffer space. PR985494















Documentation Updates

This section lists the errata and changes in Junos OS Release 12.1X47-D10 documentation.

Documentation Updates for the Junos OS Software Documentation

This section lists the errata and changes in the software documentation.

IDP Policies Feature Guide for Security Devices

• This guide is missing information about new policy templates.

Six new IDP Policy templates are added.

The new templates have the following features:

• They are designed for ease of use and provide balanced performance and coverage.

• The new templates include client protection, server protection, and client/server

protection.

• Each of the new templates has two versions that are device specific, a 1-gigabyte

(GB) version and a 2-GB version.

NOTE: The 1-gigabyteversions labeled 1Gshouldonlybeused fordevicesthat are limited to 1 GB ofmemory. If a 1-GB device loads anything otherthana 1-GBpolicy, thedevicemight experiencepolicy compilation errorsdueto limitedmemoryor limitedcoverage. Ifa2-GBdevice loadsanythingother than a 2-GB policy, the devicemight experience limited coverage.

Use these templates as a guideline for creating policies. We recommend that you

make a copy of these templates and use the copy (not the original) for the policy.

This approach allows you to make changes to the policy and to avoid future issues

due to changes in the policy templates.

The complete list of the new IDP policy templates is given in Table 6 on page 48



Table 6: New IDP Policy Templates

Updated/Currently Available Policy TemplatesPreviouslyAvailablePolicyTemplates

root@R1# set security idp active-policy ? Possiblecompletions:<active-policy> set active policy

Client-And-Server-ProtectionClient-And-Server-Protection-1GClient-ProtectionClient-Protection-1GDMZ_ServicesDNS_ServiceFile_ServerGetting_StartedIDP_DefaultRecommendedServer-ProtectionServer-Protection-1GWeb_Server

root@R1# set security idp active-policy ?Possible completions:<active-policy> set active policy

DMZ_ServicesDNS_ServiceFile_ServerGetting_StartedIDP_DefaultRecommendedWeb_Server

Descriptions of the new IDP policy templates are provided in Table 7 on page 48

Table 7: Descriptions of the New IDP Templates

DescriptionTemplate

Designed to protect both clients and servers. To be used onhigh memory devices with 2 GB or more of memory.

Client-And-Server-Protection

Designed to protect both clients and servers. To be used onall devices, including low-memory branch devices.

Client-And-Server-Protection-1G

Designed to protect clients. To be used on high memorydevices with 2 GB or more of memory.

Client-Protection

Designed to protect clients. To be used on all devices, includinglow-memory branch devices.

Client-Protection-1G

Designed to protect servers. To be used on high memorydevices with 2 GB or more of memory.

Server-Protection

Designed to protect servers. To be used on all devices,including low-memory branch devices.

Server-Protection-1G

Multicast Feature Guide for Security Devices

Multicast Source Discovery Protocol (MSDP) is not supported on SRX Series devices in

any type of custom routing instance.



Various Guides

• Some Junos OS user, reference, and configuration guides—for example the Junos

Software Routing Protocols Configuration Guide, Junos OS CLI User Guide, and Junos OS

System Basics Configuration Guide—mistakenly do not indicate SRX Series device

support in the “Supported Platforms” list and other related support information;

however, many of those documented Junos OS features are supported on SRX Series

devices. For full, confirmed support information about SRX Series devices, please refer

to Feature Explorer:

http://pathfinder.juniper.net/feature-explorer/select-software.html?swName=Junos+OS&typ=1.



http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/config-guide-routing/index.html

http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/config-guide-routing/index.html

http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/junos-cli/junos-cli.html

http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/system-basics/index.html

http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/system-basics/index.html

http://pathfinder.juniper.net/feature-explorer/select-software.html?swName=Junos+OS&typ=1








Migration, Upgrade, and Downgrade Instructions

This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade

policies for Junos OS. Upgrading or downgrading Junos OS can take several hours,

depending on the size and configuration of the network.

• End-of-Life Announcement for J Series devices and the low-Memory Versions of SRX100

and SRX200 Lines on page 50

• Upgrading and Downgrading Among Junos OS Releases on page 51

• Upgrading an AppSecure Device on page 52

• Network and Security Manager Support on page 53

• Upgrade and Downgrade Scripts for Address Book Configuration on page 53

• Hardware Requirements on page 56

End-of-Life Announcement for J Series devices and the low-Memory Versions of SRX100 andSRX200 Lines

Starting in Junos OS Release 12.1X47-D10, the J Series devices and the low-memory

versions of the SRX100 and SRX200 lines are discontinued and no longer supported.

NOTE: Upgrading to Junos OS Release 12.1X47-D10 or later is not supportedon the J Series devices or on the low-memory versions of the SRX100 andSRX200 lines. If you attempt to upgrade one of these devices to Junos OS12.1X47-D10, installation will be aborted with the following error message:

ERROR: Unsupported platform <platform-name >for 12.1X47 and higher

For the model numbers of the discontinued products, the recommended replacement

products, and minimum software requirements for the replacements, see:

http://www.juniper.net/support/eol/

If you have any questions concerning this notification, please contact the JuniperNetworks

Technical Assistance Center (JTAC).



http://www.juniper.net/support/eol/

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/concept/jtac-srx1400.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/concept/jtac-srx1400.html

Upgrading and Downgrading Among Junos OS Releases

All Junos OS releases are listed in sequence on the JUNOS Software Dates & Milestones

webpage:

http://www.juniper.net/support/eol/junos.html

To help in understanding the examples that are presented in this section, a portion of

that table is replicated here. Note that releases footnoted with a 1 are Extended

End-of-Life (EEOL) releases.

You can directly upgrade or downgrade between any two Junos OS releases that are

within three releases of each other.

• Example: Direct release upgrade

Release 10.3 → (bypassing Releases 10.4 and 11.1) Release 11.2

To upgrade or downgrade between Junos OS releases that are more than three releases

apart, you can upgrade or downgrade first to an intermediate release that is within three




releases of the desired release, and then upgrade or downgrade from that release to the

desired release.

• Example: Multistep release downgrade

Release 11.3 → (bypassing Releases 11.2 and 11.1) Release 10.4 → Release 10.3

Juniper Networks has also provided an even more efficient method of upgrading and

downgrading using the Junos OS EEOL releases. EEOL releases generally occur once a

calendar year and can be more than three releases apart. For a list of, EEOL releases, go

to http://www.juniper.net/support/eol/junos.html

You can directly upgrade or downgrade between any two Junos OS EEOL releases that

are within three EEOL releases of each other.

• Example: Direct EEOL release upgrade

Release 9.3 (EEOL) → (bypassing Releases 10.0 [EEOL] and 10.4 [EEOL]) Release 11.4

(EEOL)

To upgrade or downgrade between Junos OS EEOL releases that are more than three

EEOL releases apart, you can upgrade first to an intermediate EEOL release that is within

three EEOL releases of the desired EEOL release, and then upgrade from that EEOL

release to the desired EEOL release.

• Example: Multistep release upgrade using intermediate EEOL release

Release 8.5 (EEOL) → (bypassing Releases 9.3 [EEOL] and 10.0 [EEOL]) Release 10.4

(EEOL) → Release 11.4 (EEOL)

You can even use a Junos OS EEOL release as an intermediate upgrade or downgrade

step if your desired release is several releases later than your current release.

• Example: Multistep release upgrade using intermediate EEOL release

Release 9.6 → Release 10.0 (EEOL) → Release 10.2

For additional information about how to upgrade and downgrade, see the Junos OS

Installation and Upgrade Guide.

Upgrading an AppSecure Device

Use the no-validate Option for AppSecure Devices.

For devices implementing AppSecure services, use the no-validate option when upgrading

from Junos OS Release 11.2 or earlier to Junos OS 11.4R1 or later. The application signature

package used with AppSecure services in previous releases has been moved from the

configuration file to a signature database. This change in location can trigger an error

during the validation step and interrupt the Junos OS upgrade. The no-validate option

bypasses this step.




Network and Security Manager Support

Network and Security Manager (NSM) support for SRX Series Services Gateways with

Junos OS 12.1X47-D10 is available only with NSM versions 2012.2R6 / 2012.1R10 and later.

For additional information, see Network and Security Manager documentation.

Upgrade and Downgrade Scripts for Address Book Configuration

Beginning with Junos OS Release 12.1, you can configure address books under the [security]

hierarchy and attach security zones to them (zone-attached configuration). In Junos OS

Release 11.1 and earlier, address books were defined under the [security zones] hierarchy

(zone-defined configuration).

You can either define all address books under the [security] hierarchy in a zone-attached

configuration format or under the [securityzones]hierarchy in a zone-defined configuration

format; the CLI displays an error and fails to commit the configuration if you configure

both configuration formats on one system.

Juniper Networks provides Junos operation scripts that allow you to work in either of the

address book configuration formats (see Figure 1 on page 54).

• About Upgrade and Downgrade Scripts on page 53

• Running Upgrade and Downgrade Scripts on page 54

• Upgrade and Downgrade Support Policy for Junos OS Releases on page 55

• Upgrade Policy for Junos OS Extended End-Of-Life Releases on page 55

About Upgrade and Downgrade Scripts

After downloading Junos OS Release 12.1, you have the following options for configuring

the address book feature:

• Use the default address book configuration—You can configure address books using

the zone-defined configuration format, which is available by default. For information

on how to configure zone-defined address books, see the Junos OS Release 11.1

documentation.

• Usetheupgradescript—You can run the upgrade script available on the Juniper Networks

support site to configure address books using the new zone-attached configuration

format. When upgrading, the system uses the zone names to create address books.

For example, addresses in the trust zone are created in an address book named

trust-address-book and are attached to the trust zone. IP prefixes used in NAT rules

remain unaffected.

After upgrading to the zone-attached address book configuration:

• You cannot configure address books using the zone-defined address book

configuration format; the CLI displays an error and fails to commit.

• You cannot configure address books using the J-Web interface.

For information on how to configure zone-attached address books, see the Junos OS

Release 12.1 documentation.



http://www.juniper.net/techpubs/en_US/nsm2012.2/information-products/pathway-pages/nsmxpress/2012.2/index.html

• Use the downgrade script—After upgrading to the zone-attached configuration, if you

want to revert to the zone-defined configuration, use the downgrade script available

on the Juniper Networks support site. For information on how to configure zone-defined

address books, see the Junos OS Release 11.1 documentation.

NOTE: Before running the downgrade script, make sure to revert anyconfiguration that uses addresses from the global address book.

Figure 1: Upgrade and Downgrade Scripts for Address Books

zone-attachedaddress bookconfiguration

Download Junos OSRelease 11.2 or later.

Run the upgrade script.

- Global address book isavailable by default.

- Address book is defined underthe security hierarchy.

- Zones need to be attachedto address books.

Note: Make sure to revert anyconfiguration that uses addressesfrom the global address book.

Run the downgrade script.

zone-definedaddress book

g030

699

Running Upgrade and Downgrade Scripts

The following restrictions apply to the address book upgrade and downgrade scripts:

• The scripts cannot run unless the configuration on your system has been committed.

Thus, if the zone-defined address book and zone-attached address book configurations

are present on your system at the same time, the scripts will not run.

• The scripts cannot run when the global address book exists on your system.

• If you upgrade your device to Junos OS Release 12.1 and configure logical systems, the

master logical system retains any previously configured zone-defined address book

configuration. The master administrator can run the address book upgrade script to

convert the existing zone-defined configuration to the zone-attached configuration.



The upgrade script converts all zone-defined configurations in the master logical system

and user logical systems.

NOTE: You cannot run the downgrade script on logical systems.

For information about implementing and executing Junos operation scripts, see the Junos

OS Configuration and Operations Automation Guide.

Upgrade and Downgrade Support Policy for Junos OS Releases

Support for upgrades and downgrades that span more than three Junos OS releases at

a time is not provided, except for releases that are designated as Extended End-of-Life

(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can

upgrade directly from one EEOL release to the next EEOL release even though EEOL

releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after

the currently installed EEOL release, or to two EEOL releases before or after. For example,

Junos OS Releases 10.0, 10.4, and 11.4 are EEOL releases. You can upgrade from Junos OS

Release 10.0 to Release 10.4 or even from Junos OS Release 10.0 to Release 11.4. However,

you cannot upgrade directly from a non-EEOL release that is more than three releases

ahead or behind. For example, you cannot directly upgrade from Junos OS Release 10.3

(a non-EEOL release) to Junos OS Release 11.4 or directly downgrade from Junos OS

Release 11.4 to Junos OS Release 10.3.

To upgrade or downgrade from a non-EEOL release to a release more than three releases

before or after, first upgrade to the next EEOL release and then upgrade or downgrade

from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see

http://www.juniper.net/support/eol/junos.html .

Upgrade Policy for Junos OS Extended End-Of-Life Releases

Support for upgrades and downgrades that span more than three Junos OS releases at

a time is not provided, except for releases that are designated as Extended End-of-Life

(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can

upgrade directly from one EEOL release to the next EEOL release even though EEOL

releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after

the currently installed EEOL release, or to two EEOL releases before or after. For example,

Junos OS Releases 10.0, 10.4, and 11.4 are EEOL releases. You can upgrade from Junos

OS Release 10.0 to Release 10.4 or even from Junos OS Release 10.0 to Release 11.4.

However, you cannot upgrade directly from a non-EEOL release that is more than three

releases ahead or behind. For example, you cannot directly upgrade from Junos OS

Release 10.3 (a non-EEOL release) to Junos OS Release 11.4 or directly downgrade from

Junos OS Release 11.4 to Junos OS Release 10.3.




To upgrade or downgrade from a non-EEOL release to a release more than three releases

before or after, first upgrade to the next EEOL release and then upgrade or downgrade

from that EEOL release to your target release.

For more information on EEOL releases and to review a list of EEOL releases, see

http://www.juniper.net/support/eol/junos.html .

Hardware Requirements

Transceiver Compatibility for SRX Series Devices

We strongly recommend that only transceivers provided by Juniper Networks be used

on SRX Series interface modules. Different transceiver types (long-range, short-range,

copper, and others) can be used together on multiport SFP interface modules as long

as they are provided by Juniper Networks. We cannot guarantee that the interface module

will operate correctly if third-party transceivers are used.

Please contact Juniper Networks for the correct transceiver part number for your device.








Product Compatibility

• Hardware Compatibility on page 56

Hardware Compatibility

To obtain information about the components that are supported on the device, and

special compatibility guidelines with the release, see the SRX Series Hardware Guide.

To determine the features supported on SRX Series devices in Junos OS Release

12.1X46-D10, use the Juniper Networks Feature Explorer, a Web-based application that

helps you to explore and compare Junos OS feature information to find the right software

release and hardware platform for your network. Find Feature Explorer at:

http://pathfinder.juniper.net/feature-explorer/.

Third-Party Components

This product includes third-party components. To obtain a complete list of third-party

components, see Copyright and Trademark Information.




http://pathfinder.juniper.net/feature-explorer/

http://www.juniper.net/techpubs/en_US/sbr-carrier7.5.0/information-products/topic-collections/sbr-admin-guide-10/index.html?copyright.html

FindingMore Information

For the latest, most complete information about known and resolved issues with the

Junos OS, see the Juniper Networks Problem Report Search application at:

http://prsearch.juniper.net.

Juniper Networks Feature Explorer is a Web-based application that helps you to explore

and compare Junos OS feature information to find the correct software release and

hardware platform for your network. Find Feature Explorer at:

http://pathfinder.juniper.net/feature-explorer/.

Juniper Networks Content Explorer is a Web-based application that helps you explore

Juniper Networks technical documentation by product, task, and software release, and

download documentation in PDF format. Find Content Explorer at:

http://www.juniper.net/techpubs/content-applications/content-explorer/.

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can provide feedback by using either of the following

methods:

• Online feedback rating system—On any page at the Juniper Networks Technical

Documentation site at http://www.juniper.net/techpubs/index.html, simply click the

stars to rate the content, and use the pop-up form to provide us with information about

your experience. Alternately, you can use the online feedback form at

https://www.juniper.net/cgi-bin/docbugreport/.

• E-mail—Send your comments to [email protected]. Include the document

or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance

Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,

or are covered under warranty, and need postsales technical support, you can access

our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

http://www.juniper.net/customers/support/downloads/710059.pdf.

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

• JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.


Finding More Information


http://pathfinder.juniper.net/feature-explorer/

http://www.juniper.net/techpubs/content-applications/content-explorer/

http://www.juniper.net/techpubs/index.html


mailto: [email protected]?subject=

http://www.juniper.net/customers/support/downloads/710059.pdf

http://www.juniper.net/support/warranty/

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides you with the

following features:

• Find CSC offerings: http://www.juniper.net/customers/support/

• Search for known bugs: http://www2.juniper.net/kb/

• Find product documentation: http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number Entitlement

(SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.

Opening a Casewith JTAC

You can open a case with JTAC on the Web or by telephone.

• Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visit us at

http://www.juniper.net/support/requesting-support.html.

If you are reporting a hardware or software problem, issue the following command from

the CLI before contacting support:

user@host> request support information | save filename

To provide a core file to Juniper Networks for analysis, compress the file with the gzip

utility, rename the file to include your company name, and copy it to

ftp.juniper.net/pub/incoming. Then send the filename, along with software version

information (the output of the show version command) and the configuration, to

[email protected]. For documentation issues, fill out the bug report form located at




http://www.juniper.net/customers/support/

http://www2.juniper.net/kb/

http://www.juniper.net/techpubs/

http://kb.juniper.net/

http://www.juniper.net/customers/csc/software/

https://www.juniper.net/alerts/

http://www.juniper.net/company/communities/

http://www.juniper.net/cm/

https://tools.juniper.net/SerialNumberEntitlementSearch/

http://www.juniper.net/cm/

http://www.juniper.net/support/requesting-support.html

http://www.juniper.net/support/requesting-support.html

mailto:[email protected]?subject=

https://www.juniper.net/cgi-bin/docbugreport/

Revision History

17, September 2014—Revision 3—Junos OS 12.1X47-D10 – SRX Series.

Copyright © 2014, Juniper Networks, Inc. All rights reserved.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.


Requesting Technical Support

Documents

ReleaseNotes:Junos OSRelease 12.1X47-D10fortheSRXSeries · KnownBehavior.....19 ApplicationIdentificationandTracking.....19 CLIandJ-Web.....23