Release Notes 12.1X47-D20
Transcription
Release Notes 12.1X47-D20
® Release Notes: Junos OS Release 12.1X47-D20 for the SRX Series Release 12.1X47-D20 24 March 2015 Revision 2 Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Release 12.1X47-D20 Hardware Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Release 12.1X47-D20 Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Release 12.1X47-D15 Hardware Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Release 12.1X47-D15 Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Application Identification and Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Authentication, Authorization and Accounting (AAA) . . . . . . . . . . . . . . . . 7 Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . 8 General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Release 12.1X47-D10 Hardware Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Release 12.1X47-D10 Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Application Identification and Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . . 16 Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . 16 General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Copyright © 2015, Juniper Networks, Inc. 1 Junos OS 12.1X47 Release Notes Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Public Key Infrastructure (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Changes in Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Application Identification and Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Intrusion Detection Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Application Identification and Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 CLI and J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . 34 Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Integrated User Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 IP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Layer 2 Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 TCP-Based DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Upgrade and Downgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Application Identification and Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . 39 Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 2 Copyright © 2015, Juniper Networks, Inc. System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Resolved Issues 12.1X47-D20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . 45 Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . 45 Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . 47 J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Resolved Issues 12.1X47-D15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Certificate Authority (CA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . 50 Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . 52 General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . 52 J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Resolved Issues 12.1X47-D10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . 60 Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . 60 General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 64 J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Copyright © 2015, Juniper Networks, Inc. 3 Junos OS 12.1X47 Release Notes VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Documentation Updates for the Junos OS Software Documentation . . . . . . 71 IDP Policies Feature Guide for Security Devices . . . . . . . . . . . . . . . . . . . . 71 Multicast Feature Guide for Security Devices . . . . . . . . . . . . . . . . . . . . . . 72 Various Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . 74 End-of-Life Announcement for J Series devices and the low-Memory Versions of SRX100 and SRX200 Lines . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Upgrading and Downgrading Among Junos OS Releases . . . . . . . . . . . . . . . . 75 Upgrading an AppSecure Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Network and Security Manager Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Upgrade and Downgrade Scripts for Address Book Configuration . . . . . . . . . 77 About Upgrade and Downgrade Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Running Upgrade and Downgrade Scripts . . . . . . . . . . . . . . . . . . . . . . . . 78 Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Transceiver Compatibility for SRX Series Devices . . . . . . . . . . . . . . . . . . 79 Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Hardware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Third-Party Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Finding More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 4 Copyright © 2015, Juniper Networks, Inc. Introduction Introduction ® Junos OS runs on the following Juniper Networks hardware: ACX Series, EX Series, M Series, MX Series, PTX Series, QFabric, QFX Series, SRX Series, and T Series. These release notes accompany Junos OS Release 12.1X47 for the SRX Series. They describe new and changed features, known behavior, and known and resolved problems in the hardware and software. You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/techpubs/software/junos/. Copyright © 2015, Juniper Networks, Inc. 5 Junos OS 12.1X47 Release Notes New and Changed Features This section describes the new features and enhancements to existing features in Junos OS Release 12.1X47 for the SRX Series. Release 12.1X47-D20 Hardware Features Interfaces and Chassis • Air deflector kits for SRX3600 and SRX5400 Services Gateways—The SRX3600 and SRX5400 Services Gateways support the new air deflector kits that let you install the devices in a ventilation environment with designated hot and cold aisles. These kits are optional, converting the services gateway from side-to-side ventilation to front-to-back ventilation by directing the ventilation with cold air entering from the front and warm exhaust exiting from the back. NOTE: The SRX3400 and SRX5600 Services Gateways support the earlier air deflector kits. See SRX3400 and SRX5600 Services Gateways Air Deflector Kits. [See the Air Deflector Kit Installation Guide for SRX3600 and SRX5400 Services Gateways.] Release 12.1X47-D20 Software Features System Logging • TCP/TLS support for real-time logging for SRX Series devices—Starting in Junos OS Release 12.1X47-D20, a secure mechanism, enabled through a plug-in during system initialization, encrypts and transports dataplane syslog messages to TLS-capable syslog receivers (such as the Juniper Networks STRM or a standards-based third-party device) over TCP on all branch SRX Series devices in addition to high-end SRX Series devices. The SPU generates the log data. By default, port 514 is used for TCP logging and port 6514 is used for TLS logging. As a log client, a TCP/TLS connection is initiated to the log server. [See the “Syslog Messages” section in the Junos OS 12.1X47-D20 Release Feature Guide.] 6 Copyright © 2015, Juniper Networks, Inc. New and Changed Features Release 12.1X47-D15 Hardware Features Interfaces and Chassis • Enhanced support for Switch Control Board and Routing Engine–Starting with Junos OS Release 12.1X47-D15, the SRX5400, SRX5600, and SRX5800 support the next-generation SCB (SRX5K-SCBE) and Routing Engine (SRX5K-RE-1800X4), providing a 120-Gbps per slot line rate, faster configuration processing, route convergence, and policy compilation, in addition to greater scalability and performance. The SRX5K-SCBE provides higher capacity traffic support, greater interface density, and improved services. The SRX5K-RE-1800X4 provides the interface for user access and system management, in addition to managing routing tables, routing protocols, device interfaces, and chassis components. The Routing Engine also has secondary storage through a 128-GB solid-state drive providing additional storage for Junos images. [See Switch Control Board SRX5K-SCBE and Routing Engine SRX5K-RE-1800X4.] Release 12.1X47-D15 Software Features Application Identification and Tracking • SSL proxy support for SRX240, SRX550, and SRX650 devices—Starting with Junos OS Release 12.1X47-D15, SRX240, SRX550, and SRX650 devices can decrypt and inspect SSL encrypted traffic for features such as AppSecure and IDP. SSL proxy ensures the secure transmission of data between a client and a server through a combination of privacy, authentication, confidentiality, and data integrity. [See SSL Proxy Overview.] Authentication, Authorization and Accounting (AAA) • RADIUS functionality over IPv6 for system AAA for SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices—Starting with Junos OS Release 12.1X47-D15, RADIUS functionality supports IPv6 for system authentication, authorization, and accounting (AAA) in addition to the existing RADIUS functionality over IPv4 for system AAA. With this feature, Junos OS users can log in to the device authenticated through RADIUS over an IPv6 network. Thus, Junos OS users can now configure both IPv4 and IPv6 RADIUS servers for AAA. [See the “Authentication, Authorization, and Accounting” section in the Junos OS 12.1X47-D15 Feature Guide.] Copyright © 2015, Juniper Networks, Inc. 7 Junos OS 12.1X47 Release Notes Chassis Cluster • Encrypted control link [High-end SRX Series] — The existing control link access is enhanced to prevent hackers from logging to the system without authentication via the control link as Telnet access is disabled. Chassis cluster control link supports an optional encrypted security feature that you can configure and activate. Using IPsec for internal communication between devices, the configuration information that passes through the chassis cluster link from the primary node to the secondary node is encrypted. Without the internal IPsec key, an attacker cannot gain privilege access or observe traffic. To configure this feature, use the set security ipsec internal security-association manual encryption ike-ha-link-encryption enable configuration command. To enable this feature, use the request security internal-security-association refresh command at the console. [See Understanding Chassis Cluster Control Links.] Flow-Based and Packet-Based Processing • Data path debugging on the SRX5000 line MPC for SRX5400, SRX5600, SRX5800—Starting with Junos OS Release 12.1X47-D15, data path debugging provides tracing and debugging at multiple processing units along the packet-processing path. The packet filter can be executed with minimal impact to the production system. On a high-end SRX Series device, a packet goes through a series of events involving different components from ingress to egress processing. With the data path debugging feature, you can trace and debug (capture packets) at different data points along the processing path. At each event, you can specify an action (count, packet dump, packet summary, and trace) and set filters to define what packets to capture. [See "Understanding Data Path Debugging for SRX Series Devices" and "Example: Configuring End-to-End Debugging on a High-End SRX Series Device" in the Junos OS Release 12.1X47-D15 Feature Guide]. General Routing • SRX5K-RE-1800X4 for SRX5400, SRX5600, and SRX5800 devices—Starting with Junos OS Release 12.1X47-D15, the SRX5K-RE-1800X4 Routing Engine is introduced. The SRX5K-RE-1800X4 has an Intel Quad core Xeon processor, 16 GB of DRAM, and a 128-GB solid-state drive (SSD). The number 1800 refers to the speed of the processor (1.8 GHz). The maximum required power for this Routing Engine is 90W. The SRX5K-RE-1800X4 has the following features: • Increased CPU power provides higher control plane scalability. NOTE: The SRX5K-RE-1800X4 provides significantly better performance than the previously used Routing Engine, even with a single core. 8 Copyright © 2015, Juniper Networks, Inc. New and Changed Features • Memory address space is increased from 2 GB to 4 GB. • The SSD provides superior reliability. The part number and model number for the SRX5K-RE-1800X4 can be viewed using the following CLI commands: • show chassis hardware • show chassis hardware models Copyright © 2015, Juniper Networks, Inc. 9 Junos OS 12.1X47 Release Notes Interfaces and Chassis • Switch Control Board II for SRX5400, SRX5600, and SRX5800 — Starting with Junos OS Release 12.1X47-D15, the Switch Control Board (SCB) II (SRX5K-SCBE) is introduced. SCB II (SRX5K-SCBE) has the following features: • Used in the SCB slot. • Supports 160-Gbps redundant raw fabric throughput per FPC slot. The SCB I (SRX5K-SCB) supports 80 Gbps. This new fabric capability enables the IOC II (SRX5K-MPC) to reach its maximum throughput of 120 Gbps and to achieve a line rate of 100-Gbps interfaces. • In-service hardware upgrade (ISHU) from SRX5K-SCB to SRX5K-SCBE is supported in chassis cluster mode. • The SRX5K-SCBE uses serializer/deserializer (SerDes) link speed of 6.22 Gbps between an SRX5K-MPC and the SRX5K-SCBE. The fabric interface has enough bandwidth to support a line speed of 100-Gbps Ethernet interfaces. NOTE: Fabric Bandwidth Increasing Mode, which is supported in SRX5K-SCB alignment with the SPC II (SRX5K-SPC-4-15-320), is not supported. • The SRX5K-SPC-4-15-320 fabric interface runs at 3.11-Gbps SerDes link speed (same as the SPC I). • If an IOC I and an SPC I are plugged into a chassis with an SRX5K-SCBE, those cards will remain offline. Both an SRX5K-MPC and an SRX5K-SPC-4-15-320 are required to operate with an SRX5K-SCBE. To display new SRX5K-SCBE information, use the following CLI commands: 10 • show chassis hardware • show chassis environment cb Copyright © 2015, Juniper Networks, Inc. New and Changed Features To request that an SCB II go online or offline, use the request chassis cb (offline | online) slot slot-number CLI command. Third SCB Supported in SRX5800 There are three SCB slots in SRX5800 devices. The third slot can be used for an SCB or an FPC. When an SRX5K-SCBE is used with an SRX5K-SCB, the third SCB slot can only be used as an FPC slot (FPC 6). SCB redundancy is provided in chassis cluster mode. With an SRX5K-SCBE, a third SCB is supported. If a third SCB is plugged in, it provides intra-chassis fabric redundancy. If chassis cluster is enabled and a third SCB is also plugged in, both intra-chassis redundancy and inter-chassis redundancy are provided. If a fabric plane fails or a link error occurs on the active SCB, intra-chassis redundancy occurs first. If no redundant plane is available in the chassis cluster, inter-chassis redundancy is triggered and all data plane redundancy groups fail over to the other chassis cluster node. Control Plane The Ethernet switch in the SRX5K-SCBE provides the Ethernet connectivity among all the FPCs and the Routing Engine. The Routing Engine uses this connectivity to distribute forwarding and routing tables to the FPCs. The FPCs use this connectivity to send exception packets to the Routing Engine. The Ethernet switch used in the SRX5K-SCBE is Broadcom’s BCM56680. BCM56680 is a Layer 2 and Layer 3 switch-on-a-chip solution. It provides 1-Gbps ports with autonegotiation as well as four 10-Gbps ports. The Routing Engine also connects to the Ethernet switch through Peripheral Component Interconnect (PCI) for control. The BCM56680’s address space is mapped into PCI address space. To display control plane details, use the following commands: • show chassis ethernet-switch • show chassis ethernet-switch counters Fabric Function Fabric connects all FPCs in the data plane. The Fabric Manager executes on the Routing Engine and controls the fabric system in the chassis. Packet Forwarding Engines on the FPC and fabric planes on the SCB are connected through HSL2 channels. HSL2 can be configured in different modes and different link speeds on each slot. SCB II supports HSL2 with both 3.11-Gbps and 6.22-Gbps (SerDes) link speed and various HSL2 modes. When an FPC is brought online, the link speed and HSL2 mode are determined by the type of FPC. Copyright © 2015, Juniper Networks, Inc. 11 Junos OS 12.1X47 Release Notes To display fabric state, use the following CLI commands: • show chassis fabric [summary | map | fpcs | plane | plane-location] • request chassis fabric plane plane-number [offline | online] IPv6 • IPv6 support for outbound SSH for all high-end SRX Series devices— Starting with Junos OS Release 12.1X47-D15, high-end SRX Series devices configured with IPv6 addresses support outbound SSH connections. Network Address Translation (NAT) • NAT64 IPv6 Prefix to IPv4 Address Persistent Translation for SRX Series devices—Starting with Junos OS Release 12.1X46-D15, this feature, which is targeted at IPv6 mobile networks, is used with the dual-translation mechanism, 464XLAT, to enable IPv4 services to work over IPv6-only networks. It augments the existing NAT64 mechanism, which enables IPv6 clients to contact IPv4 servers by translating IPv6 addresses to IPv4 addresses (and vice versa). However, the existing NAT64 mechanism does not ensure a sticky mapping relationship for one unique end user. By configuring the new address-persistent option with a specific IPv6 prefix length for NAT64 translations in an IPv4 source NAT pool, a sticky mapping relationship is ensured between one specific IPv6 prefix and one translated IPv4 address. [See the “Network Address Translation” section in the Junos OS 12.1X47-D15 Feature Guide.] Network Management and Monitoring • Collect vital data on MIB OIDs for all SRX Series devices [SRX Series]—Starting in Junos OS Release 12.1X47-D15, you can collect and configure MIB OID data for later use in reports. You can configure data collection duration (default is 3 days), dump file size limitation (default is 5 Mbytes for branch SRX Series and 10 Mbytes for high-end SRX Series), and disk storage limitation (default is 80%). If an issue should arise, then the collected data is examined to help identify its cause. Once you enable a predefined group, the vital data of all OIDs in the group are periodically collected and analyzed. Only critical data is collected when CPU utilization exceeds 60% but is within 80%. You can also collect raw MIB OID data. [See the “Network Management and Monitoring” section in the Junos OS 12.1X47-D15 Release Feature Guide.] Release 12.1X47-D10 Hardware Features Interfaces and Chassis • 12 MIC with twenty 1-Gigabit Ethernet SFP ports (SRX-MIC-20GE-SFP) [SRX5400, SRX5600, SRX5800]—MICs install into MPCs to add different combinations of Ethernet interfaces to your services gateway to suit the specific needs of your network. Copyright © 2015, Juniper Networks, Inc. New and Changed Features The SRX-MIC-20GE-SFP can be installed in an MPC to add twenty 1-Gigabit Ethernet small form-factor pluggable (SFP) Ethernet ports. You can install up to two MICs in the slots in each MPC. The SRX-MIC-20GE-SFP is hot-pluggable. You can remove and replace the MIC without powering off the services gateway, but the routing functions of the system are interrupted when the MIC is removed. [See MIC with 20x1GE SFP Interfaces (SRX-MIC-20GE-SFP.] • Support for SFP+ 10-Gigabit and QSFP+ 40-Gigabit Ethernet transceivers [SRX5400, SRX5600, SRX5800]—The following transceivers are supported: Transceiver Model Description Supported Card Model SRX-SFPP-10G-LR SFP+ 10GBASE-LR Gigabit Ethernet optic module, 1310 nm for up to 10 km transmission on single mode fiber (SMF) cable SRX-MIC-10XG-SFPP SRX-QSFP-40G-LR4 QSFP+ 40GBASE-LR4 Gigabit Ethernet single-mode optic module, 1310 nm for up to 10 km transmission on single mode fiber (SMF) cable SRX-MIC-2X40G-QSFP Release 12.1X47-D10 Software Features Application Identification and Tracking • Application-level distributed denial of service [SRX Series]—As announced in Junos OS Release 12.1X46-D10, application-level distributed denial of service is being deprecated in Junos OS Release 12.1X47-D10. This feature will be removed in a future release per the Juniper Networks deprecation process. As a replacement product for this feature, we recommend that you migrate to the Juniper Networks DDoS Secure product line. For more details, contact your sales engineer. • Default trusted CA certificates for SSL forward proxy [High-end SRX Series]—SSL forward proxy uses trusted CA certificates for server authentication. Junos OS provides a default list of trusted CA certificates that you can easily load on to your system using a default command option. Alternatively, you can continue to use the CA profile feature to define your own list of trusted CA certificates and import them on to your system. [See Services Offloading Overview.] • Next-generation application identification [SRX100H2, SRX110H2-VA, SRX110H2-VB, SRX210HE2, SRX210HE2-POE, SRX220H2, SRX220H2-POE, SRX240H2, SRX550, SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800]—Next-generation application identification recognizes Web-based and other applications and protocols at different network layers using characteristics other than port number. With next-generation application identification, applications are identified by using a downloadable protocol bundle containing application signatures and parsing information. Here, identification is based on protocol behavior and session management. Copyright © 2015, Juniper Networks, Inc. 13 Junos OS 12.1X47 Release Notes Next-generation application identification builds on the legacy application identification functionality and provides more effective detection capabilities for evasive applications such as Skype, BitTorrent, and Tor. It improves the accuracy of existing applications, enables dynamic update of the detector engine without requiring Junos OS code upgrade, and increases the application count to around 2900. [See Application Identification Feature Guide for Security Devices.] • Next-generation application identification predefined signatures [SRX100H2, SRX110H2-VA, SRX110H2-VB, SRX210HE2, SRX210HE2-POE, SRX220H2, SRX220H2-POE, SRX240H2, SRX550, SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800]—Next-generation application identification eliminates previously implemented pattern-based matching technology and particular signature constructs for each application. The new detection mechanism has its own data feed and constructs to identify applications. Next-generation application identification eliminates the generation of nested application and treats nested application as normal applications. [See Application Identification Feature Guide for Security Devices.] Chassis Cluster • Autorecovery of fabric link [SRX Series]—The fabric link feature supports autorecovery, which includes the following enhancements: • Fabric monitoring feature is enabled by default on high-end SRX Series, and hence recovery of fabric link and synchronization takes place automatically. • If the fabric link goes down, RG1+ becomes ineligible on either the secondary node or the node with failures, by default. The node remains in this state until the fabric link comes up or the other node goes away. • If the fabric link goes down followed by the control link, then after approximately 66 seconds the secondary node (or the node with failures) assumes that the remote node is dead and takes over as the primary node. [See Understanding Chassis Cluster Fabric Links.] • 14 Enhanced debugging support for chassis cluster [SRX Series]—The chassis cluster debugging functionality has the following enhancements: • The show chassis cluster status command output includes failure reasons (acronyms and their expansions) when the redundancy group's priority is zero. • Cleaner jsrpd process includes removing unwanted logs and moving the debug log message from level LOG_INFO to LOG_DEBUG. • The show chassis cluster information command output displays redundancy group, LED, and monitored failure details. • SNMP traps send messages when a node's weight goes down and also when it recovers. Copyright © 2015, Juniper Networks, Inc. New and Changed Features • The show chassis cluster ip-monitoring command output displays both the global threshold and the current threshold of each node and displays the weight of each monitored IP address. • A system log message appears when the control link goes down. [See show chassis cluster ip-monitoring status.] • In-service software upgrade (ISSU) progress display [High-end SRX Series]—ISSU supports a progress indicator. During an upgrade, you can see the progress of an ISSU and the time expected to complete a process. To enable this feature use the show chassis cluster information issu command at the console. In addition, you can monitor real-time ISSU progress through a new session to collect, report, and display cold synchronization status on SPUs. [See Understanding the Low-Impact ISSU Process on Devices in a Chassis Cluster.] • NTP time synchronization in chassis cluster [SRX Series]—Network Time Protocol (NTP) is used to synchronize the time between the Packet Forwarding Engine and the Routing Engine in a standalone device and between two devices in a chassis cluster. In standalone device and chassis cluster mode, the primary Routing Engine runs the NTP process to get the time from the external NTP server. The secondary Routing Engine uses NTP to get the time from the primary Routing Engine. On both standalone devices and clusters, the Packet Forwarding Engine uses NTP to get the time from the local Routing Engine. [See Chassis Cluster Feature Guide for Security Devices.] • Sync backup node configuration from primary node [SRX Series]—Chassis cluster supports automatic configuration synchronization. When a secondary node joins a standalone primary node and a chassis cluster is formed, the primary node configuration is copied and applied to the secondary node. This enhancement saves the user from spending time on manual copying of the configuration on both nodes. [See SRX Series Chassis Cluster Configuration Overview.] • TCP support for DNS [SRX Series]—Prior to Junos OS Release 12.1X47-D10, DNS resolution was performed with UDP as a transport. Messages carried by UDP are restricted to 512 bytes; longer messages are truncated and the traffic class (TC) bit is set in the header. The maximum length of UDP DNS response messages is 512 bytes and the maximum length of TCP DNS response message is 65,535 bytes. A DNS resolver knows whether the response is complete if the TC bit when it is set in the header. [See Reconnaissance Deterrence Feature Guide for Security Devices.] Copyright © 2015, Juniper Networks, Inc. 15 Junos OS 12.1X47 Release Notes Dynamic Host Configuration Protocol (DHCP) • DHCP server and DHCP client [SRX Series]—The DHCP server and DHCP client include chassis cluster support for high-end SRX Series devices in addition to branch SRX Series devices. [See Administration Guide for Security Devices.] Flow-Based and Packet-Based Processing • LAG support in services-offload mode [High-end SRX Series]—LAGs are supported in services-offload mode. LAG combines links and provides increased bandwidth and link availability. Services offloading reduces packet latency by processing and forwarding packets in the network processor instead of in the SPU. Supporting aggregation of links in the services-offload mode combines the benefits of both these features and provides enhanced throughput, link redundancy, and reduced packet latency. [See Services Offloading Overview.] • Services offloading [SRX5600 and SRX5800]—The following services offloading features are supported: • Per-wing statistics counters • Services-offload traffic across different network processors • End-to-end debugging in services-offload mode [See Services Offloading Overview and Example: Configuring an NPC on SRX3000 Line Devices or SRX1400 Devices to Support Services Offloading.] General Packet Radio Service (GPRS) • SCTP IPv6 support [High-end SRX Series]—The SCTP module allows you to configure the SCTP profile with an IPv6 address and then process the IPv6 traffic. The SCTP module checks every extension header until it finds the SCTP header and then processes the SCTP header and ignores all the other headers. An SCTP endpoint can be a multihomed host with either all IPv4 addresses or all IPv6 addresses. An SCTP endpoint also supports NAT-PT in two directions, from an IPv4 address format to an IPv6 address format, and vice versa. [See General Packet Radio Service Feature Guide for Security Devices.] • SCTP multichunk inspection [High-end SRX Series]—The SCTP firewall checks all chunks in a message and then permits or drops the packet based on the policy. You can enable the SCTP multichunk inspection and disable the SCTP chunk inspection to check only the first chunk. If a data chunk is not allowed to pass through the SCTP profile because of protocol blocking or rate limiting, the SCTP firewall resets this chunk to a null PDU and continues to check the next chunk. If all chunks in a packet are null PDUs, the SCTP firewall drops the packet. [See General Packet Radio Service Feature Guide for Security Devices.] 16 Copyright © 2015, Juniper Networks, Inc. New and Changed Features Interfaces and Chassis • Promiscuous mode support on the SRX5K-MPC [SRX5400, SRX5600, SRX5800]—Promiscuous mode function is supported on the SRX5000 line MPC (SRX5K-MPC) on 1-Gigabit, 10-Gigabit, 40-Gigabit, and 100-Gigabit Ethernet interfaces on the MICs. By default, an interface enables MAC filtering. You can configure promiscuous mode on the interface to disable MAC filtering. When you delete the promiscuous mode configuration, the interface will perform MAC filtering again. You can change the MAC address of the interface even when the interface is operating in promiscuous mode. When the interface is operating in normal mode again, the MAC filtering function on MPC uses the new MAC address to filter packets. [See Understanding Promiscuous Mode on Ethernet Interfaces.] J-Web • Improved browser support for J-Web [SRX Series]—J-Web is enhanced to support modern browsers like Microsoft Internet Explorer version 8.0, 9.0, and 10.0, Mozilla Firefox version 23+, and Google Chrome version 28+ to provide cross-platform browser compatibility. The following tables shows the browser support for J-Web application. Table 1: Browser Compatibility on SRX Series Devices Device Application Supported Browsers SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 J-Web • Microsoft Internet Explorer version 8.0, 9.0, and 10.0 • Mozilla Firefox version 23+ • Google Chrome version 28+ Recommended Browser Mozilla Firefox version 23+ • J-Web support for chassis cluster wizard [SRX Series]—A new J-Web wizard is introduced to support chassis clustering. J-Web provides a step-by-step wizard that assists in setting up chassis cluster with a default basic configuration. • J-Web UI improvements [SRX Series]—The J-Web user interface is improved for better usability. The following navigational changes are made to the Configuration tab: • Additional filter options are enabled on the Interface Configuration page. • Layout of the Zones and Screens page is enhanced. • A few menu items are renamed for clarity. • New buttons are introduced for launching wizards. • Application tracking (previously on the Security Logging page) is moved to the Application Tracking Configuration page. Copyright © 2015, Juniper Networks, Inc. 17 Junos OS 12.1X47 Release Notes The Dashboard tab includes a link for setting the rescue configuration. Layer 2 Features • Layer 2 transparent mode support on the SRX5K-MPC [SRX5400, SRX5600, SRX5800]—Layer 2 transparent mode is supported on the SRX5000 line MPC (SRX5K-MPC). When the SRX5K-MPC is operating in Layer 2 mode, you can configure all interfaces on the SRX5K-MPC as Layer 2 bridging ports to support Layer 2 traffic. The SPU supports all security services for Layer 2 bridging functions, and the MPC delivers the ingress packets to the SPU and forwards the egress packets that are encapsulated by the SPU to the outgoing interfaces. [See Layer 2 Bridging and Transparent Mode Overview.] Multicast • Layer 3 multicast functionality on the SRX5K-MPC [SRX5400, SRX5600, and SRX5800]—Layer 3 multicast functionality is supported on the SRX5000 line MPC (SRX5K-MPC). The SRX5K-MPC collaborates with the Routing Engine, central point, and SPU to support the following Layer 3 multicast functionality: • Supports IP multicast routing protocols for forwarding multicast traffic • Establishes and coordinates operations between multicast shared trees and shortest-path tree (SPT) • Forwards and receives IP multicast traffic [See Multicast Feature Guide for Security Devices.] Network Address Translation (NAT) • Increased IP address pool limit [SRX5400, SRX5600, and SRX5800]—This feature is only supported on SRX5000 line with the SPC II (SRX5K-SPC-4-15-320). This feature increases the maximum number of IP addresses for NAT bindings to 1,000,000 from 12,000. When using more than 12,000 IP addresses, configure the twin port range to limit the number of ports. • Port block allocation [High-end SRX Series]—This feature allocates ports to subscribers in blocks and generates logs during block allocation or release. Deterministic port block allocation allows the mapping of a subscriber’s IP address to an external address and port number using predefined algorithms. This feature reduces excessive log generation. To configure port block allocation, include the block-size, max-blocks-per-host, block-active-timeout, and log statements at the [edit security nat pool pool-name port block-allocation ] hierarchy level. To configure deterministic port block allocation, include the block-size and host statements at the [edit security source pool pool-name port deterministic ] hierarchy level. 18 Copyright © 2015, Juniper Networks, Inc. New and Changed Features • Source and destination NAT rule application [SRX Series]—The rule match criteria for source and destination NAT includes a new application option. This option enables you to configure up to 3072 application terms per rule. In addition, you can configure up to 8 single destination ports or port ranges with the rule match destination-port option. Previously, you could configure only a single port or port range. [See match (Security Destination NAT) and match (Security Source NAT).] • Twin port configuration [SRX5400, SRX5600, and SRX5800]—This feature lets you configure the twin port range for source NAT pools to avoid port overloading. The maximum number of translation ports is 384 million. The default twin port range is 2048, which accommodates 12,000 IP addresses. To set the global default twin port range for all source pools, use the set security nat source pool-default-twin-port-range low to high statement. To set the twin port range for a specific pool, use the set security nat source pool pool-name port range twin-port low to high statement. NOTE: If the twin port range is configured for a smaller range, then attackers can more easily predict the translated port. Network Management and Monitoring • IP monitoring of reth interface LAGs [High-end SRX Series]—In addition to the reth interface, IP monitoring through a redundant LAG is supported to take advantage of both throughput and redundancy. IP monitoring checks the end-to-end connectivity of configured IP addresses and allows a redundancy group to automatically fail over when the monitored IP address is not reachable through the reth interface. Both the primary and secondary devices in the chassis cluster monitor specific IP addresses to determine whether an upstream device in the network is reachable. [See IP Monitoring Overview.] • IP monitoring with interface as next-hop option [SRX Series]—IP monitoring enables you to configure a static route with a P2P interface as a next-hop action when IP monitoring has failed. The following added functions support the track-ip option: • Next-hop type checking: IP address or interface. • Interface type checking for next-hop. Only a P2P interface is supported; an error message results when the configuration is committed. • You can use the interface as a next-hop to construct route parameters and call RPD API to add a static route; log route addition results. • You can use existing code to delete the route when the primary route recovers. [See show services ip-monitoring status.] Copyright © 2015, Juniper Networks, Inc. 19 Junos OS 12.1X47 Release Notes Port Security • UDP port scan protection [SRX Series]—The UDP port scanning feature is similar to TCP port scanning in capabilities, user commands, and operational implementation. The UDP port scanning option is disabled by default. The default threshold period value is 5000 microseconds. You can manually set the threshold period value, which ranges from 1000 to 1,000,000 microseconds. This feature protects against DDoS attacks on some exposed public UDP services by allowing fewer than 10 new sessions in the configured threshold period for each zone and source IP. [See Understanding Port Scanning.] Public Key Infrastructure (PKI) • Online Certificate Status Protocol (OCSP) [SRX Series]—OCSP, like CRL, checks the revocation status of X509 certificates. Requests are sent to the OCSP server(s) configured in a CA profile with the oscp url statement at the [edit security pki ca-profile profile-name revocation-check] hierarchy level. The use-ocsp option must also be configured. If there is no response from the OCSP server, the request is then sent to the location specified in the certificate's AuthorityInfoAccess extension. [See Understanding Online Certificate Status Protocol.] Routing Protocols • OSPFv3 IPsec authentication and confidentiality [SRX Series]—OSPF for IPv6, also known as OSPF version 3 (OSPFv3), does not have built-in authentication to ensure that routing packets are not altered and re-sent to the router. IPsec can be used to secure OSPFv3 interfaces and virtual links and provide encryption for OSPF packets. To configure IPsec for OSPF/OSPFv3, define a security association (SA) with the security-association sa-name configuration option at the [edit security ipsec] hierarchy level. The configured SA is then applied it to the OSPF/OSPFv3 interface or virtual link configuration. [See Understanding OSPF and OSPFv3 Authentication on SRX Series Devices.] Security Policy • Integrated user firewall [SRX Series]—This feature retrieves user-to-IP address mappings from the Windows Active Directory to use as match criteria in firewall policies. The SRX Series device polls the event log of the Active Directory Controller (ADC) to determine who has logged on. The username and group are queried from the LDAP service in the ADC. The SRX Series device uses the IP address, username, and group information to generate authentication entries that the UserFW module uses to enforce user-based and group-based policy control over traffic. • Multiple zones for policies [SRX Series]—This feature enables you to configure multiple source zones and multiple destination zones in one global policy. Previously, you had to create a separate policy for each from-zone/to-zone pair, even when other attributes, such as source-address or destination-address were identical. [See Global Policy Overview.] 20 Copyright © 2015, Juniper Networks, Inc. New and Changed Features Unified Threat Management (UTM) • Downloadable Kaspersky scan engine [Branch SRX Series]—The Kaspersky scan engine is provided as a downloadable UTM module instead of a preinstalled, module in UTM. To use this feature, your SRX Series device must have an active UTM license. When you install the KAV license the system automatically downloads the Kaspersky module from the Juniper Networks server and runs it. When you set the antivirus type to KAV, and if the SRX Series device had a preinstalled Kaspersky engine, then the downloaded module replaces the original module on the device. Regardless of the UTM license status, when the KAV license is deleted from the device, the Kaspersky engine and all files associated with KAV are removed from the system immediately. [See Full Antivirus Protection Overview.] • UTM license enforcement [SRX Series]—License enforcement is supported for UTM features, including Sophos antivirus, enhanced Web filtering, and antispam filtering on all high-end SRX Series devices in addition to branch SRX Series devices. You can add or remove UTM licenses on SRX Series devices. Each feature license is tied to exactly one software feature and is valid for exactly one device. Table 2 on page 21 lists the license modules and the license names. Table 2: UTM License Information UTM Module License Name SAV av_key_sophos_engine AS anti_spam_key_sbl EWF wf_key_websense_ewf [See License Enforcement.] • UTM on next-generation SPC [SRX5400, SRX5600, and SRX5800]—This feature provides support for UTM features, including Sophos antivirus, content filtering, antispam, and enhanced Web filtering on next-generation SPCs. VPNs • HMAC-SHA-256-128 authentication [High-end SRX Series]—HMAC-SHA-256-128 authentication is supported for IPsec proposals and manual security associations on high-end SRX Series devices. You can specify the hmac-sha-256-128 option at the [edit security ipsec proposal proposal-name] and the [edit security ipsec vpn vpn-name manual] hierarchy levels. [See authentication (Security IPsec) and authentication-algorithm (Security IPsec).] Copyright © 2015, Juniper Networks, Inc. 21 Junos OS 12.1X47 Release Notes Related Documentation 22 • Changes in Behavior and Syntax on page 23 • Known Behavior on page 30 • Known Issues on page 39 • Resolved Issues on page 44 • Documentation Updates on page 71 • Migration, Upgrade, and Downgrade Instructions on page 74 Copyright © 2015, Juniper Networks, Inc. Changes in Behavior and Syntax Changes in Behavior and Syntax This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 12.1X47 for the SRX Series. Application Identification and Tracking • Next-generation application identification eliminates the generation of new nested applications and treats existing nested applications as single applications. In addition, next-generation application identification does not support custom applications or custom application groups. Existing configurations involving any nested applications, custom applications, or custom application groups are ignored and the following warning messages are displayed as system log messages: APPID_CUSTOM_APP_UNSUPPORTED: Ignoring unsupported custom app configuration. APPID_CUSTOM_NESTAPP_UNSUPPORTED: Ignoring unsupported custom nested app configuration. Though configurations commit successfully, related functionality will not be available. For more information, see “Known Behavior” on page 30. • When you upgrade to Junos OS Release 12.1X47-D10, you might have problems with application firewall and application QoS rules not being enforced for some applications and IDP policy load failures. Applications or application groups for which services are not enforced or applications that can cause IDP policy load failures are indicated by the following system log message: APPID_APP_GRP_UNSUPPORTED Example: APPID_APP_GRP_UNSUPPORTED: Ignoring unsupported entry junos:JOOST in path [edit class-of-service application-traffic-control rule-sets RS8 rule 1 match application junos:JOOST] [edit security idp custom-attack cs2 attack-type signature protocol-binding nested-application JOOST] APPID_APP_GRP_UNSUPPORTED: Ignoring unsupported entry junos:PPLIVE in path [edit security application-firewall rule-sets apptest rule 1 match dynamic-application junos:PPLIVE] [edit class-of-service application-traffic-control rule-sets RS8 rule 1 match application junos:PPLIVE] To avoid these problems, we recommend that you upgrade to the latest signature package. NOTE: If you are using any applications or application groups that are not present in the latest signature package, you must remove them from application firewall and application QoS rules and IDP policies for installation to complete successfully. Copyright © 2015, Juniper Networks, Inc. 23 Junos OS 12.1X47 Release Notes Chassis Cluster • Starting in Junos OS Release 12.1X46-D20, for all branch SRX Series devices in chassis cluster mode, there is a node option available for all show chassis CLI commands. The node option displays status information for all FPCs or for the specified FPC on a specific node (device) in the cluster. Flow-Based and Packet-Based Processing • Prior to Junos OS Release 12.1X46-D10, the SRX Series devices did not decode SCTP source and destination ports for IPv6 traffic but instead used a preset port 1 to create flow sessions. These preset ports did not match corresponding security policies and caused the system to drop SCTP IPv6 traffic. Starting in Junos OS Release 12.1X47-D10, the actual SCTP source and destination ports (instead of the preset port 1) will be used to create flow sessions for the SCTP IPv6 traffic. Intrusion Detection Prevention (IDP) New sensor configuration options have been added to log run conditions as IDP session capacity and memory limits are approached, and to analyze traffic dropped by IDP and application identification due to exceeding these limitations. • drop-if-no-policy-loaded—At start up, traffic is ignored by IDP by default if the IDP policy is not yet loaded. The drop-if-no-policy-loaded option changes this behavior so that all sessions are dropped before the IDP policy is loaded. • drop-on-failover—By default, IDP ignores failover sessions in an SRX chassis cluster deployment. The drop-on-failover option changes this behavior and automatically drops sessions that are in the process of being inspected on the primary node when a failover to the secondary node occurs. • drop-on-limit—By default, sessions are not dropped if the IDP session limit or resource limits are exceeded. In this case, IDP and other sessions are dropped only when the device’s session capacity or resources are depleted. The drop-on-limit option changes this behavior and drops sessions when resource limits are exceeded. • max-sessions-offset—The max-sessions-offset option sets an offset for the maximum IDP session limit. When the number of IDP sessions exceeds the maximum session limit, a warning is logged that conditions exist where IDP sessions could be dropped. When the number of IDP sessions drops below the maximum IDP session limit minus the offset value, a message is logged that conditions have returned to normal. • min-objcache-limit-lt—The min-objcache-limit-lt option sets a lower threshold for available cache memory. The threshold value is expressed as a percentage of available IDP cache memory. If the available cache memory drops below the lower threshold level, a message is logged stating that conditions exist where IDP sessions could be dropped because of memory allocation failures. • min-objcache-limit-ut—The min-objcache-limit-ut option sets an upper threshold for available cache memory. The threshold value is expressed as a percentage of available 24 Copyright © 2015, Juniper Networks, Inc. Changes in Behavior and Syntax IDP cache memory. If available IDP cache memory returns to the upper threshold level, a message is logged stating that available cache memory has returned to normal. For example, the following message shows that the available IDP cache memory has increased above the upper threshold and that it is now performing normally: • On all SRX Series devices with a single session, when IDP is activated, the upload and download speeds are slow when compared to the firewall performance numbers. To overcome this issue, a new CLI command set security idp sensor-configuration ips session-pkt-depth is introduced and this session-pkt-depth sensor-configuration is global for any session. The session-pkt-depth sensor-configuration CLI value specifies the number of packets in a session the IDP inspection happens, beyond this value the IDP will not be inspecting the packets in that session. For example, when the session-pkt-depth sensor-configuration CLI value is configured as “n”, the IDP inspection happens only for first (n-1) packets in that session. From the nth packet, the session is ignored by IDP. The default value of session-pkt-depth sensor-configuration is “0” and when the value is “0” the session-pkt-depth is not mentioned, and the IDP performs a full inspection of the session. • A new attribute, max-synacks-queued, is added to IDP sensor configuration TCP reassembler. This attribute defines the maximum syn/ack queued with different SEQ numbers and takes the values 0 through 5. Also, a new counter, Duplicate Syn/Ack with different SEQ, is added to the IDP TCP reassembler. This counter displays the number of syn/ack packets with different SEQ numbers. • A system log message is generated when an IDP signature database update or policy compilation fails with an empty dynamic group. The system-generated log message is Dynamic Attack group [dyn_group_1] has no matching members found. Group is empty. Copyright © 2015, Juniper Networks, Inc. 25 Junos OS 12.1X47 Release Notes Network Time Protocol • On all SRX Series devices, when the NTP client or server is enabled in the edit system ntp hierarchy, the REQ_MON_GETLIST and REQ_MON_GETLIST_1 control messages supported by the monlist feature within the NTP might allow remote attackers, causing a denial of service. To identify the attack, apply a firewall filter and configure the router's loopback address to allow only trusted addresses and networks. • In Junos OS releases earlier than Junos OS Release 12.1X47-D20, when the session based screen limit is hit from the same source to multiple destination IP address or same destination to multiple source IP address every second, the firewall generated flood of logs per second. For example, if we receive 100 session based screen attack to the same source or same destination IP address in a given second, then 100 log messages per second were sent to Syslog server. Screens Starting in Junos OS Release 12.1X47-D20, when multiple session based screen attack is hit every second for the same source or same destination IP addresses, only one syslog message every second is sent for a specific source or destination IP address. If the session based screen is hit multiple times in a second for multiple source or multiple destination addresses then multiple syslog messages for every unique source and destination address is sent every second. This behavior also applies to flood protection screens with TCP-Synflood-src-based, TCP-Synflood-dst-based, and UDP flood protection. Security • Starting in Junos OS Release 12.1X47-D10, on all branch SRX Series devices, the Routing Engine memory is decreased to 960 MB when an advanced service such as next-generation application identification, IDP, or UTM is enabled on the device. • The system log message UTMD_EWF_CAT_OBSOLETE is introduced in Junos OS Release 12.1X47-D15. • The system log message APPID_CUSTOM_APPGRP_UNSUPPORTED is deprecated in Junos OS Release 12.1X47-D15. • During a load override, to enhance the memory for the commit script, make sure you load the configuration by applying the following commands before commit: System Logging System Management set system scripts commit max-datasize 800000000 set system scripts op max-datasize 800000000 • 26 On an SRX5800 device in transparent mode, if the device is not processing multicast OSPFv3 hello packets, to fix this condition you must remove the “delete security flow bridge no-packet-flooding” statement from the configuration. Copyright © 2015, Juniper Networks, Inc. Changes in Behavior and Syntax NOTE: Packet flooding is enabled by default. If you have manually disabled packet flooding with the “set security flow bridge no-packet-flooding” statement, then use the configuration statement above to revert to the default behavior, which will allow the device to process multicast OSPFv3 hello packets. Unified Threat Management (UTM) • Starting in Junos OS Release 12.1X47-D15, enhanced Web filtering has the following updates: • Addition of five new security categories • Modification of category names for eight security categories Table 3: New categories Category ID Category Name Parent ID 220 Compromised Websites 0 Sites that are vulnerable and known to host an injected malicious code or unwanted content. 221 Newly Registered Websites 0 Sites whose domain names were registered recently. 1529 Classifieds Posting 0 General function that enables a user to post a classified advertisement. 1530 Blog Posting 0 General function that enables a user to post a blog entry. 1531 Blog Commenting 0 General function that enables a user to post a comment. Description Table 4: Updates to existing category names Old Category Name New Category Name Racism and Hate Intolerance URL Translation Sites Website Translation MP3 and Audio Download Services Media File Download Non Traditional Religions and Occult and Folklore Non Traditional Religions Freeware and Software Download Application and Software Download Images Media Web Infrastructure Copyright © 2015, Juniper Networks, Inc. 27 Junos OS 12.1X47 Release Notes Table 4: Updates to existing category names (continued) • Old Category Name New Category Name Image Servers Web Images Potentially Damaging Content Suspicious Content In Junos OS Release 12.1X47-D10 and earlier, the UTM default configuration on Junos OS did not include junos-default-bypass-mime in the mime-whitelist. The user had to manually configure the default bypass mime by using the following command: user@host#set security utm feature-profile anti-virus mime-whitelist list junos-default-bypass-mime Starting in Junos OS Release 12.1X47-D15, the junos-default-bypass-mime is listed in mime-whitelist as the UTM default configuration on Junos OS. The user need not configure the CLI explicitly. To check the default mime-whitelist configuration, use the following CLI operational commands: [edit] user@host> show configuration groups junos-defaults security utm custom-objects mime-pattern junos-default-bypass-mime value [ text/css audio/ video/ image/ ]; [edit] user@host> show configuration groups junos-defaults security utm feature-profile anti-virus mime-whitelist list junos-default-bypass-mime; • Starting in Junos OS Release 12.1X47-D20, enhanced Web filtering has the following updates: • Addition of seven new security categories. See Table 5 on page 28. • Modification of category name for a security category. See Table 6 on page 29. Table 5: New categories 28 Category ID Category Name Parent ID 222 Collaboration Office 0 Category that is used to manage the office domain. 223 Office Mail 222 Office function that enables a user to collaborate through email and messaging. 224 Office Drive 222 Office function that enables a user to collaborate through virtual storage. 225 Office Documents 222 Office function that enables a user to collaborate through document applications. 226 Office Apps 222 Office function that enables a user to collaborate through various applications. Description Copyright © 2015, Juniper Networks, Inc. Changes in Behavior and Syntax Table 5: New categories (continued) Category ID Category Name Parent ID 227 Web Analytics 9 Sites that are associated with web traffic analysis. 228 Web and Email Marketing 9 Sites that are associated with online marketing. Description Table 6: Updates to existing category names Old Category Name New Category Name Supplements and Unregulated Compounds Nutrition VPNs • AutoVPN multicast deprecated—Support for multicast traffic in an AutoVPN hub-and-spoke network is deprecated and will be removed in a future release. AutoVPN hubs are supported on SRX240, SRX550, SRX650, SRX1400, SRX3400, SRX5600, and SRX5800 devices. AutoVPN spokes are supported on SRX100, SRX210, SRX220, SRX240, SRX550, SRX650, and SRX1400 devices. Related Documentation • In previous Junos OS releases, the Pulse client could be automatically downloaded and installed when users logged into a branch SRX Series device that was configured for dynamic VPN. Starting with Junos OS Release 12.1X47-D15, Pulse client software is no longer available from dynamic VPN SRX Series devices and must be obtained from the Juniper Networks Download Software site at http://www.juniper.net/support/downloads/. • New and Changed Features on page 6 • Known Behavior on page 30 • Known Issues on page 39 • Resolved Issues on page 44 • Documentation Updates on page 71 • Migration, Upgrade, and Downgrade Instructions on page 74 Copyright © 2015, Juniper Networks, Inc. 29 Junos OS 12.1X47 Release Notes Known Behavior This section contains the known behaviors, system maximums, and limitations in hardware and software in Junos OS Release 12.1X47 for the SRX Series. Application Identification and Tracking • In Junos OS Release 12.1X47-D10 with application identification enabled, an impact on the application traffic throughput is observed compared to Junos OS Release 12.1X46 or earlier releases under the following scenarios: • Application system cache is disabled • Average session data length is very small (less than 44 KB) • Specific application traffic distributed extensively across non-standard random ports • Certain application traffic generator profiles are used (not in typical real-world deployments) You can use the new performance mode CLI command for improving application traffic throughput by configuring the enable-performance-mode parameter. • Use the set services application-identification enable-performance-mode command to set the deep packet inspection (DPI) in performance mode with default packet inspection limit as two packets, including both client-to-server and server-to-client directions. • Use the set services application-identification enable-performance-mode max-packet-threshold value command to set the maximum packet threshold for DPI performance mode based on your input, including both client-to-server and server-to-client directions. Packet inspection limit can be changed with this CLI command. Range for the max-packet-threshold value is 1 through 100. • Use the delete services application-identification enable-performance-mode command to switch DPI to default accuracy mode and disable the performance mode. NOTE: By default, DPI performance mode is not enabled on the SRX Series device. Use the show services application-identification status command to display detailed information about application identification status. In the following sample, the DPI Performance mode field displays whether the DPI performance mode is enabled or not. This field is displayed in the CLI command output only if the performance mode is enabled. pic: 2/1 Application Identification Status Sessions under app detection Engine Version Max TCP session packet memory 30 Enabled 0 4.18.2-24.006 (build date Jul 30 2014) 30000 Copyright © 2015, Juniper Networks, Inc. Known Behavior Force packet plugin Force stream plugin DPI Performance mode: Statistics collection interval Disabled Disabled Enabled 1 (in minutes) Application System Cache Status Negative cache status Max Number of entries in cache Cache timeout Enabled Disabled 262144 3600 (in seconds) Protocol Bundle Download Server https://services.netscreen.com/cgi-bin/index.cgi AutoUpdate Disabled Slot 1: Application package version 2399 Status Active Version 1.40.0-26.006 (build date May 1 2014) Sessions 0 Slot 2 Application package version 0 Status Free Version Sessions 0 • On all SRX Series devices, in next-generation application identification, the CLI statements and commands listed in Table 7 on page 31 are deprecated—rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration. Table 7: Items Deprecated in Junos OS Release 12.1X47-D10 Statement Hierarchy Additional Information nested-application [edit services application-identification] Configure a custom nested application definition that will be used by the system to identify the nested application as it passes through the device. nested-application-settings [edit services application-identification] Configure nested application options for application identification services. enable-heuristics [edit services application-identification] Enable encryption and P2P detection. max-checked-bytes [edit services application-identification] Configure the maximum number of bytes to be applied with the application signatures. Copyright © 2015, Juniper Networks, Inc. 31 Junos OS 12.1X47 Release Notes Table 7: Items Deprecated in Junos OS Release 12.1X47-D10 (continued) • Statement Hierarchy Additional Information nested-application [edit security idp custom-attack attack-name attack-type signature protocol-binding] Specify the nested application name during configuration of custom attack objects to detect known or unknown attacks. [edit security idp custom-attack attack-name attack-type chain protocol-binding] NOTE: All nested applications that used to be listed under this statement are now listed under application application-name statement at [edit security idp custom-attack attack-name attack-type signature/chain protocol-binding] hierarchies. nested-application [security application-firewall] Enable the nested application dynamic lookup to match the application firewall with an application rule during application firewall policy lookup, if there is no explicit rule for nested application. max-sessions [edit services application-identification] Specify the maximum number of sessions application identification maintains. If the value reaches the maximum, all new sessions are dropped request services application-identification application copy predefined-application-name NA Copy a predefined application signature from the database to the configuration and change the name. show services application-identification counter ssl-encrypted-sessions NA Display application identification counters for SSL-encrypted traffic. On all SRX Series devices, custom application signatures are not supported with this version of application identification. As a part of this change, the CLI statements used for configuring custom applications as listed in Table 8 on page 32 are not supported in this release. Table 8: Statements Not Supported in Junos OS Release 12.1X47-D10 32 Statement Hierarchy Additional Information application [edit services application-identification] Configure a custom application definition for the desired application name that will be used by the system to identify the application as it passes through the device. Copyright © 2015, Juniper Networks, Inc. Known Behavior Table 8: Statements Not Supported in Junos OS Release 12.1X47-D10 (continued) • Statement Hierarchy Additional Information application-group [edit services application-identification] Specify any number of associated predefined applications, user-defined applications, and other groups for ease of use in configuring application-based policies. On all SRX Series devices, application-level distributed denial of service is being deprecated in Junos OS Release 12.1X47-D10. As a part of this change, the CLI statements and commands listed in Table 9 on page 33 are deprecated—rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration. Table 9: Items Deprecated in Junos OS Release 12.1X47-D10 Statement Hierarchy Additional Information application-ddos [edit security idp] Configure application-level distributed denial-of-service (DDoS) protection. rulebase-ddos [edit security idp idp-policy policy-name] Configure the rulebase parameters for application-level DDoS attacks. application-ddos [edit security idp sensor-configuration] Enables application-level DDoS statistics collection. clear security idp application-ddos cache – Clear application-level distributed denial-of-service (DDoS) state including context, context value, and client classification. show security idp application-ddos application – Display basic statistics for the servers being protected by the IDP application-level DDoS feature. show security idp counters application-ddos – Display the status of all IDP application-DDoS counter values. clear security idp counters application-ddos – Clear the status of all IDP application-DDoS counter values. We strongly recommend that you phase out deprecated items and replace them with supported alternatives. • On all high-end SRX Series devices, application-level distributed denial-of-service (application-level DDoS) detection does not work if two rules with different application-level DDoS applications process traffic going to a single destination application server. When setting up application-level DDoS rules, make sure that you do not configure rulebase-ddos rules that have two different application-ddos objects Copyright © 2015, Juniper Networks, Inc. 33 Junos OS 12.1X47 Release Notes when the traffic destined to one application server can process more than one rule. Essentially, for each protected application server, you have to configure the application-level DDoS rules so that traffic destined for one protected server processes only one application-level DDoS rule. NOTE: Application-level DDoS rules are terminal, which means that once traffic is processed by one rule, it will not be processed by other rules. The following configuration options can be committed, but they will not work properly: • source-zone destination-zone destination-ip service application-ddos Application Server source-zone-1 dst-1 any http http-appddos1 1.1.1.1:80 source-zone-2 dst-1 any http http-appddos2 1.1.1.1:80 On all high-end SRX Series devices, application-level DDoS rule base (rulebase-ddos) does not support port mapping. If you configure an application other than default, and if the application is from either predefined Junos OS applications or a custom application that maps an application service to a nonstandard port, application-level DDoS detection will not work. When you configure the application setting as default, IDP uses application identification to detect applications running on standard and nonstandard ports; thus, the application-level DDoS detection would work properly. CLI and J-Web • In CLI and J-Web, the number of users allowed to access the device is limited as follows: Devices SXR100 SRX110 SRX210 SRX220 SRX240 SRX550 SRX650 CLI Users 6 6 4 9 6 11 11 J-Web Users 3 3 3 5 5 5 5 Dynamic Host Configuration Protocol (DHCP) 34 • On all SRX Series devices, DHCPv4 is supported only in Layer 3 mode; the DHCP server and DHCP client are not supported in Layer 2 transparent mode. • On all SRX Series devices, DHCPv6 client authentication is not supported. • On all SRX Series devices, logical systems and routing instances are not supported for DHCP client in chassis cluster mode. Copyright © 2015, Juniper Networks, Inc. Known Behavior Flow-Based and Packet-Based Processing • On all branch SRX Series devices, GRE fragmentation is not supported in packet-based mode. General Packet Radio Service (GPRS) • On all high-end SRX Series devices, only a unified ISSU to an immediate Junos OS release is supported. For example, Unified ISSU from Junos OS release 12.1X44 to Junos OS release 12.1X45 is supported. • SRX5800 devices does not support a redundant SCB card (third SCB) if an SRX5k SPC II (FRU model number: SRX5K-SPC-4-15-320) is installed on the device. If you have installed an SRX5K SPC II on an SRX5800 device with a redundant SCB card, make sure to remove the redundant SCB card. • On SRX100, SRX110, SRX210, and SRX220 devices, DRAM memory is not supported. However, chassis cluster is supported when two devices have the same 1 GB or 2 GB of memory. • On SRX5400, SRX5600, and SRX5800 devices, Services offloading is not supported on Modular Port Concentrator (SRX5K-MPCs)/Modular Interface Cards (MICs). Hardware Interfaces and Chassis • On all branch SRX Series devices, the CLNS routing is not supported on aggregated Ethernet interfaces. • On all SRX Series devices, the Link Layer Discovery Protocol (LLDP) is not supported on reth interfaces. Integrated User Firewall • On SRX Series devices, Integrated User Firewall has the following limitations: • IPv6 addresses are not supported. • Logical systems are not supported. Copyright © 2015, Juniper Networks, Inc. 35 Junos OS 12.1X47 Release Notes • The WMIC does not support multiple users logged onto the same PC. • Domain controllers and domain PCs must be running Windows OS. The minimum support for a windows client is Windows XP. The minimum support for a server is Windows server 2003. Intrusion Detection and Prevention (IDP) • On all high-end SRX Series devices, in sniffer mode, ingress and egress interfaces work with flow showing both source and destination interfaces as the egress interface. As a workaround, in sniffer mode, use the tagged interfaces. Hence, the same interface names are displayed in the logs. For example, ge-0/0/2.0 as ingress interface (sniff) and ge-0/0/2.100 as egress interface are displayed in the logs to show the source interface as ge-0/0/2.100. set interfaces ge-0/0/2 promiscuous-mode set interfaces ge-0/0/2 vlan-tagging set interfaces ge-0/0/2 unit 0 vlan-id 0 set interfaces ge-0/0/2 unit 100 vlan-id 100 NOTE: On all branch SRX Series devices, the sniffer mode is not supported. IP Monitoring 36 • On SRX5400, SRX5600, and SRX5800 devices, in each PIC on the 40x1GE IOC cards only 2 of the 10 ports can be enabled with IP monitoring on both the primary and secondary sides. If more than two ports on the same PIC are enabled with IP monitoring, the behavior of IP monitoring through reth or RLAG on the secondary side might be abnormal. • On SRX5400, SRX5600, and SRX5800 devices, the maximum number of IP addresses that can be configured for monitoring is limited to 64. • On SRX1400, SRX3400, and SRX3600 devices, the maximum number of IP addresses that can be configured for monitoring is limited to 32. • On all high-end SRX Series devices, the default configuration and minimum interval of IP monitoring is 1 second, and the maximum interval is 30 seconds. • On all high-end SRX Series devices, the default and minimum threshold of IP monitoring is 5, and the maximum threshold is 15. • When IP monitoring is enabled on a different subnet than the reth IP address, then you must configure the proxy-arp unrestricted option on the upstream router. Copyright © 2015, Juniper Networks, Inc. Known Behavior IPv6 • On all branch SRX Series devices, IPv6 flows are not supported in transparent mode. Layer 2 Transparent Mode • On all branch SRX Series devices, configuring Layer 2 Ethernet switching family in Transparent Mode for an interface is not supported. Network Address Translation (NAT) • On high-end SRX Series devices, the number of IP addresses for NAT with port translation has been increased to 1M addresses. The SRX5000 line, however, supports a maximum of 384M translation ports and cannot be increased. To use 1M IP addresses, you must confirm that the port number is less than 384. The following CLI commands enable you to configure the twin port range and limit the twin port number: • set security nat source pool-default-twin-port-range <low> to <high> • set security nat source pool sp1 port range twin-port <low> to <high> TCP-Based DNS • On all SRX Series devices, the Routing Engine policy supports a maximum of 1024 IPv4 address prefixes and 256 IPv6 address prefixes that can be sent to the Packet Forwarding Engine. If the maximum number of IPv4 or IPv6 address prefixes exceeds the limits, the addresses over the limitations will not be sent to the Packet Forwarding Engine and a system log message is generated. The maximum number of addresses in a TCP DNS response is 4094 for IPv4 addresses and 2340 for IPv6 addresses, but only 1024 IPv4 addresses and 256 IPv6 addresses are loaded to the Packet Forwarding Engine. Upgrade and Downgrade • On the SRX240B2 and SRX240H2 models, when you try to upgrade from Junos OS Release 11.4 to Junos OS Release 12.1X44, 12.1X45, 12.1X46, or 12.1X47, the upgrade fails when attempting to validate the configuration. To resolve this, use the no-validate option. • RIP is not supported in point-to-multipoint (P2MP) VPN scenarios including AutoVPN deployments. We recommend OSPF or IBGP for dynamic routing when using P2MP VPN tunnels. • New and Changed Features on page 6 • Changes in Behavior and Syntax on page 23 VPNs Related Documentation Copyright © 2015, Juniper Networks, Inc. 37 Junos OS 12.1X47 Release Notes 38 • Known Issues on page 39 • Resolved Issues on page 44 • Documentation Updates on page 71 • Migration, Upgrade, and Downgrade Instructions on page 74 Copyright © 2015, Juniper Networks, Inc. Known Issues Known Issues This section lists the known issues in hardware and software in Junos OS Release 12.1X47-D20 for the SRX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application. Application Identification and Tracking • On all SRX Series devices, the Layer 3 and Layer 4 signatures (IP and ICMP protocols) are not supported in AppID 2.0. PR986058 • On all SRX Series devices, when you upgrade Junos OS Release from 12.1X46-D10 to 12.1X47-D20, the appcache and session state synchronization is not supported because of incompatible changes in the AppID engine. PR986569 Application Layer Gateways (ALGs) • On all SRX Series devices with MS-RPC ALG enabled, occasionally, when more than one IP and port pair exist in the MS RPC response packet, and if these IP and port pair are same, the ALG group might leak. This issue might occur even in a Sun RPC scenario. PR1010499 Chassis Cluster • On all high-end SRX Series devices, it is strongly recommended that the device is running below 50 percent of CPU at control plane and data plane before starting ISSU. If the primary device is running more than 70 percent CPU, ISSU will fail in most cases because of cold synchronize failures. Use the show chassis routing-engine RE CPU) and show security monitoring (SPC CPU) commands to check CPU utilization. If the device is running in high CPU, it is strongly recommend to disable the traceoptions or only allow critical level logging using set deactivate chassis cluster traceoptions and security policy log with <deactivate security policies from-zone untrust to-zone trust policy default-deny then log session-close/session-init> commands. If high CPU is because of heavy traffic, redirect the traffic to other security device or wait till the traffic cools down. PR1016437 • On all high-end SRX Series devices in a chassis cluster, when both the nodes are rebooted simultaneously, the chassis cluster environment might show interface monitoring failure even though the monitored interface is up. This causes unnecessary failover on the redundancy group. PR1032711 Dynamic Host Configuration Protocol (DHCP) • On all high-end SRX Series devices, the sub object identifier (OID) values displayed under jnxJdhcpLocalServerBindings are incorrect. PR946036 • On all high-end SRX Series devices, after you delete the DHCP server binding, the IP addresses assigned to the ARP and host route still exist in the device. PR947601 Copyright © 2015, Juniper Networks, Inc. 39 Junos OS 12.1X47 Release Notes • On all high-end SRX Series devices, the DHCP relay does not work when you configure the DHCP relay point to the local server cross-routing instance. PR964710 Flow-Based and Packet-Based Processing • On all multiple thread-based SRX Series devices (SRX240 and above), if IDP, AppSecure, ALG, GTP, or the SCTP feature, which is required for serialization flow processing is enabled, the device might encounter an issue where two flow threads work on the same session at the same time for the serialization flow processing. This issue might cause memory corruption, and then result in a flowd process crash. PR1026692 • On all high-end SRX Series devices, when the SPU works in high stress mode, the internal event queue can be full, and an event can be lost. There is no retransmission mechanism for this internal event, and the connection enters a “session stuck” state. The session that is stuck is recovered by the upper layer applications. For example, when the TCP session log module is stuck, you cannot send any log messages. After 30 seconds, the log module detects this condition and restarts the new connection to send the log message. However, if the UDP session log module is stuck, you can still send the log message. As a workaround, for SPC II cards, the maximum number of concurrent sessions that need Layer 7 processing is 3000 per SPU. For other devices, the maximum number of concurrent sessions that need Layer 7 processing is 2500 per SPU. PR1060529 Interfaces and Routing • On all high-end SRX Series devices, during the ISSU process, the Packet Forwarding Engine connects and sometimes disconnects the Routine Engine. Hence, the IP resolve events sent to the Packet Forwarding Engine are ignored. When you configure multiple DNS policies after the ISSU process, some of the policies will not have IP addresses in the Packet Forwarding Engine. As a workaround, use the request security policies resync command. PR985731 • On SRX100H2 and SRX220H2 devices, when you enable vlan tagging on interfaces and commit the configuration, the interface speed and duplex mode might cause the interface to stop processing traffic. As a workaround, deactivate and then activate the affected interface. PR1003423 • 40 On SRX210 and SRX220 devices, broadcast packets might not be sent to the Routing Engine following system initialization. PR1029424 Copyright © 2015, Juniper Networks, Inc. Known Issues Intrusion Detection and Prevention (IDP) • On all branch SRX Series devices, severity for the IDP report changes from log severity to threat severity. PR1019401 • On all SRX Series devices in J-Web, policies configured using the Firewall wizard are not reflected on the Configure> Security > Policy> firewall policy page. PR933053 • On all SRX Series devices, the feature session limit is based on the managed session entries, but in modern browsers, the session is shared among multiple tabs and windows. Hence, the feature can only work with windows opened in different modern browsers. PR1000332 • On all branch SRX Series devices, the J-Web Dashboard does not show correct LED color for alarm status. PR1026883 • On all branch SRX Series devices, when you configure the J-Web setup wizard while creating a new configuration and apply the configuration, the changes are not reflected on all devices, As a result, the device displays the configuration change alert and sends a message for you to commit the configuration. J-Web As a workaround, when you configure the J-Web setup wizard while creating a new configuration, you must perform a commit operation after applying the configuration. PR1058434 Network Address Translation (NAT) • On all high-end SRX Series devices in a chassis cluster, some persistent NAT table entries cannot be removed on the SPU when the device is under heavy traffic with multiple failovers. PR834823 • On all SRX Series devices, when persistent NAT is enabled, allocation of resource (port) for an incoming session failed. The session reference count for that binding increases constantly even if no more sessions are associated with it. This results in stale entries in the persistent NAT binding table, which causes persistent NAT table exhaustion. PR1036020 • On SRX5400, SRX5600, and SRX5800 Series devices with the SPC II (SRX5K-SPC-4-15-320) installed, if a NAT IP address pool is configured with a large number of IP addresses (more than 56, 000), executing the show snmp mib walk jnxJsNatSrcNumPortInuse command causes the flowd process to crash. PR1052154 Copyright © 2015, Juniper Networks, Inc. 41 Junos OS 12.1X47 Release Notes Platform and Infrastructure • On all SRX Series devices, when you connect to the device through wireless AP the secure access port incorrectly allows access to the MAC addresses that are not in the list of allowed MAC addresses. PR587163 • On all high-end SRX Series devices, when you try to reload a kernel module that is already linked to the kernel, an error message is displayed because the module is already present. No functionality is impacted by the error message. PR817861 • On all SRX Series devices, when you upgrade a Junos OS release from one version to another, the following error messages are displayed: Network security daemon: rtslib: ERROR kernel does not support all messages: expected 102 got 98,a reboot or software upgrade may be required Network security daemon: rtslib: WARNING version mismatch for msg unknown: expected 98 got 0,a reboot or software upgrade may be required These error messages are harmless and are generated during image checking, and the messages do not impact the ISSU. PR926661 • On all high-end SRX Series devices, when use multicast and there are more than 600 copies of a multicast packet for a multicast group, the flowd process might crash while committing a change of multicast configuration. PR986592 • On all SRX Series devices, the \x22 \x27 parsing fails because of the escape sequences in C. As a workaround, insert x/22 between the escape sequences. For example, insert \x\x2222\x\x2227 between the escape sequences. PR992606 42 • On all branch SRX Series devices, after enabling IEEE 802.1X, the connected devices on some ports might fail to be authenticated. This is because MAC authentication requests might get stuck on the eswd process, therefore this issue might be seen on certain random ports, not all ports. PR1042294 • On all branch SRX Series devices, the message twsi0: Device timeout on unit 1 fills the console on soft reboot. PR1050215 • On all branch SRX Series devices, the configurations of group junos-defaults are lost after a configuration rollback. As a result, the commit command fails. PR1052925 Copyright © 2015, Juniper Networks, Inc. Known Issues Security Policy • On SRX3400 and SRX3600 devices, logical systems with policy count option displayed the statistics after a while following a show command, or the counters stopped to increment if both redundant groups were not on same node as a result of failover. PR782546 System Logging • On all branch SRX Series devices, when you configure the TCP connections of the system log stream with more than one TCP connection (for example, three), redundancy group failover occurs. As a workaround, clear the log connections and re-create the TCP log connections. The TCP connections will be reduced to two. PR1038113 • On all high-end SRX Series devices, the network processor offloading and UTM cannot coexist at the same time. The network processor offloading is disabled automatically if UTM is enabled. This is due to a memory capacity limitation. PR1059527 • On all SRX Series devices, the block size for Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) has been reduced from 8 to 4. Block size 8 is used for connecting to other SRX Series devices, and block size 4 is interoperable with systems from Cisco, strongSwan, and other companies. When you set the correct block size 4 for AES-GCM, it causes a problem when connecting to previous releases of Junos OS for SRX Series devices. The problem affects certain packet sizes, so it might appear to work for some traffic, such as ping, but not for other traffic. In a hub-and-spoke configuration, the upgrade causes problems with tunnels to all spokes until they are upgraded. VPN As a workaround, for a hub-and-spoke topology, first change the tunnel to an algorithm other than AES-GCM. Next, upgrade each spoke. After you have upgraded all spokes (and therefore AES-GCM is not being used), upgrade the hub. Finally, change each tunnel back so that it uses AES-GCM again. For other network topologies, you must change each AES-GCM tunnel to another algorithm, upgrade the devices, and then change the configurations back to AES-GCM. PR1037432 Related Documentation • New and Changed Features on page 6 • Changes in Behavior and Syntax on page 23 • Known Behavior on page 30 • Resolved Issues on page 44 • Documentation Updates on page 71 • Migration, Upgrade, and Downgrade Instructions on page 74 Copyright © 2015, Juniper Networks, Inc. 43 Junos OS 12.1X47 Release Notes Resolved Issues This section lists the issues fixed in the Junos OS main release and the maintenance releases. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application. Resolved Issues 12.1X47-D20 Application Layer Gateways (ALGs) • On all high-end SRX Series devices, the SCTP traffic sessions are established on an SPU that is selected by the port’s hash algorithm. This means that the session affinity does not take effect for SCTP traffic even if the SCTP ALG is disabled. However, since the SCTP and session affinity conflict occurs naturally, the session affinity does not support SCTP traffic when the SCTP ALG is enabled. PR1019859 • On all SRX Series devices with the SIP ALG and NAT enabled, the SIP ALG does not execute IP translation for the retransmitted 183 session progress messages. In this scenario, the SIP call will fail when the device receives the first 183 session progress messages without SDP information, but the retransmitted 183 session progress messages contains SDP information. PR1036650 • On all SRX Series devices, the DNS ALG does not terminate the session when a truncated DNS reply is received. Hence, the session remains up until high timeout (10~50) is reached. PR1038800 • On all SRX Series devices, if the SUN RPC traffic has the same IP address, port number, and program ID but is coming from different source zones other than the session, the traffic is dropped by the SUN RPC ALG. PR1050339 Chassis Cluster • On SRX5400, SRX5600, and SRX5800 devices with SPC II cards installed, when IP spoofing is enabled, after the device under test (DUT) is rebooted, the address books in the Packet Forwarding Engine will be removed and not pushed back into the Packet Forwarding Engine. Due to this issue, the IP spoofing does not work after reboot. PR920216 • On all SRX Series devices configured in a chassis cluster, VLAN interfaces on the primary node might flap or become down. PR1001162 • On all high-end SRX Series devices in a chassis cluster, when you perform an ISSU upgrade on a chassis cluster containing an IDP detector configuration, the FPCs on one node might remain in the offline state. PR1025203 CLI • 44 On all high-end SRX Series devices, system commit synchronize is not supported. Hence, when you configure it, it will not be committed due to a configuration lock. PR1012692 Copyright © 2015, Juniper Networks, Inc. Resolved Issues • On all SRX Series devices, CLI auto-complete does not work for any keywords after you run the set system login class <name> permissions command. PR1032498 Dynamic Host Configuration Protocol (DHCP) • On all high-end SRX Series devices, the DHCP server option-82 does not work. PR949717 • On all branch SRX Series devices, in DHCP requests, the IP TTL value is set to 1 and the DHCP option 12 is missing. PR1011406 • On all branch SRX Series devices configured as a DHCP server (using JDHCP), even though the next-server (siaddr) and tftp boot-server options are configured, the siaddr and tftp boot servers are set with the IP address as 0.0.0.0 in DHCP reply packets. PR1034735 • On all SRX Series devices configured as a DHCP server (using the jdhcpd process), when the DHCP server gets a new request from a client and applies an IP address from the authentication process (authd), the jdhcpd process communicates with authd process twice as expected (once for the DHCP discovery message and once for the DHCP request message). If the authentication fails in the first message, the authd process will indefinitely wait for the second authentication request. However, the jdhcpd process never sends the second request, because the process detects that the first authentication did not occur. This causes memory leak on the authd process, and the memory might get exhausted, generating a core file and preventing DHCP server service. High CPU usage on the Routing Engine might also be observed. PR1042818 Flow-Based and Packet-Based Processing • On all high-end SRX Series devices, after a failover, there is a reroute process for each existing session on the newly active device. The reroute is delayed and is triggered by the first packet hitting an existing session. If multiple packets of the same session come in at once, and are picked up by different threads for processing, only one thread will run the reroute, while the other threads have to wait for the result before forwarding the packet. This waiting period penalizes traffic for other sessions and affects the overall throughput. Therefore, such packets will be dropped instead of waiting in order to optimize the overall system fairness and throughput. This drop does not affect newly created sessions, because that is a different data path. PR890785 • On all high-end SRX Series devices, when IPsec is enabled, AppQoS does not apply the rate limiter for egress traffic. PR918942 • On all branch SRX Series devices, the temporary flowd process crashes while you run the get-software-information level=detail command using a NETCONF client. This type of flowd crash is harmless. PR937450 • On SRX1400 devices, in a rare condition, SPUs might run into dead loop situation. High CPU usage on SPUs will be seen, and the flowd process will crash in the end. PR1017665 • On all branch SRX Series devices in Layer 2 transparent mode, the flowd process might generate a core file when two packets of the same connection are received in a short time before the flow session is created, and destination MAC address lookup succeeds for these two packets. PR1025983 Copyright © 2015, Juniper Networks, Inc. 45 Junos OS 12.1X47 Release Notes • On all high-end SRX Series devices, when a device forwards traffic, a flowd core file is generated. This is a generic issue issue and does not impact any feature. PR1027306 • On SRX5400, SRX5600, and SRX5800 devices with an SRX5K IOC II, configuring a sampling feature (flow monitoring) might cause high kernel heap memory usage. PR1033359 • On all SRX Series devices, when WebTrends Enhanced Log File (WELF) format is configured for the security log, the device generates very long WELF-formatted logs (for example, logs more than 1000 bytes). When the log is truncated on the Packet Forwarding Engine and sent to the Routing Engine, memory corruption occurs, causing the flowd process to crash. This issue generally occurs when UTM Web filtering is configured. PR1038319 • On all branch SRX Series devices in a chassis cluster Z mode, if static NAT or destination NAT is configured, and in the NAT rule, the IP address of the incoming interface is used as a matching condition of the destination address (for example, set security nat static <rule-set-name> rule <rule-name> match destination-address <use the IP address of incoming interface>), then the traffic matching the NAT rule is discarded. PR1040185 Interfaces and Routing • On all high-end SRX Series devices, when a router is acting as an NTP broadcast server, broadcast addresses must be in the default routing instance. NTP messages are not broadcasted when the address is configured in a VPN virtual routing and forwarding (VRF) instance. PR887646 • On all high-end SRX Series devices, LAG interface gratuitous ARP is neither generated nor sent out on the link when gratuitous-arp-on-ifup is configured. PR889851 • On SRX240, SRX550, and SRX650 devices, a delay of several seconds (maximum 4 seconds) might occur to detect that the link is down. PR1008324 • On all branch SRX Series devices, in a rare condition, during a failure of routing update, a free memory might be accessed again, which results in the flowd process crash. PR1017148 • On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if reth LAG is configured and child interfaces are associated with different network processing units (NPUs), when the device undergoes high-speed session creation (for example, 360,000 connections per second (CPS) on an SRX5800 device), the central point CPU might be stuck at 99 percent utilization after a data plane redundancy group failover. PR1030913 46 • On all branch SRX Series devices with First Hop Router (FHR) in multicast scenario, after the device reboots, the PIM tunnel selects loopback0.0 as the outgoing interface due to a timing issue where the route is not ready. If the loopback0.0 and the downstream interface are not in the same security zone, the PIM register packets will be dropped because of reroute failure. PR1031185 • On all branch SRX Series devices, multiple CoS rewrite rules are applied to a single interface where only one rewrite rule is allowed. PR1034173 Copyright © 2015, Juniper Networks, Inc. Resolved Issues • On all high-end SRX Series devices, in each node, there is only one Routing Engine. The RE 0 in the master node is the master Routing Engine and the RE 0 in the secondary node is the backup Routing Engine. The request system power-off both-routing-engines command powers off both the master and the backup Routing Engines simultaneously. PR1039758 • On all high-end SRX Series devices, the request system power-off both-routing-engines command powers off both the nodes. PR1047349 Intrusion Detection and Prevention (IDP) • On SRX210 and SRX220 devices, due to memory constraints, the combination of large IDP policies (that is, IDP_Default) along with express antivirus (EAV) might not compile successfully. PR974851 J-Web • On all SRX Series devices, when you go to the Monitor>NAT>Source NAT page and click the Resource Usage tab, all Pool type values in the grid are displayed as PAT. J-Web fails to recognize the Non-PAT pool. PR1036621 • On all branch SRX Series devices, J-Web does not display all the member link interfaces for aggregate Ethernet (ae) interface. PR1038850 Platform and Infrastructure • On all high-end SRX Series devices, when composite next hop is used, the RSVP session flap might cause if state mismatch between the master Routing Engine and the backup Routine Engine, which eventually leads to a kernel crash on the master Routine Engine. PR905317 • On all branch SRX Series devices, when flexible-vlan-tagging option is enabled, the return traffic might be dropped on the tagged interface with the message packet dropped, pak dropped due to invalid l2 broadcast/multicast addr. PR1034602 Security Policy • On all branch SRX Series devices, when you swap the sequence of security policies or when security policies are disabled by a scheduler, the applications configured in these security policies might be added to other enabled security policies. This might cause unexpected applications to be evaluated by other security policies, and traffic to be permitted or denied unexpectedly. PR1033275 • On all SRX Series devices, when there are more than 32 policies configured in a global security policy, and if there is a zone-based global security policy whose sequence number is greater than 32, then a policy mismatch error might occur, causing incorrect traffic evaluation. PR1057215 Copyright © 2015, Juniper Networks, Inc. 47 Junos OS 12.1X47 Release Notes System Logging • On all SRX Series devices, if the stream mode logging has incomplete configuration for multiple streams, after reboot the system might not send out stream logs to the properly configured streams. PR988798 • On all high-end SRX Series devices, RT_PFE errors might be generated due to reroute failure when a more specific route entry is added or deleted. PR1009947 • On all branch SRX Series devices, flowd_octeon_hm: pconn_client_connect: Failed to connect to the server after 0 retries messages are repeated in the log file. PR1035936 Unified Threat Management (UTM) • On all high-end SRX Series devices, due to a memory leak issue in the utmd process, the utmd process might cause control plane CPU utilization that is higher than expected even when the Unified Threat Management (UTM) feature is not enabled. The memory leak can only be triggered if there is a UTM license installed on the system. PR1027986 VPN 48 • On all branch SRX Series devices, IPsec tunnel reconnection might cause a memory leak. PR1002738 • On all branch SRX Series devices, in group VPN setups, all the already registered members might suddenly disappear from the key server due to memory leak. PR1023940 • On all branch SRX Series devices, if IPsec VPN is enabled using IKE version 2 (IKEv2), and a distinguished name is used to verify the IKEv2 phase 1 remote identity, then a remote peer initiates IKEv2 phase 1 Security Association (SA) renegotiation (SRX Series devices work as a responder), the new negotiated VPN tunnel might stay in an inactive state on the data plane, causing IPsec VPN traffic loss. PR1028949 • On all branch SRX Series devices in a dynamic end point (DEP) VPN scenario, the VPN tunnel might stay in down state after the user-at-hostname value is changed. PR1029687 • On all high-end SRX Series devices with IPsec VPN configuration, because of a rare timing issue, the IPsec VPN traffic might be dropped due to a "bad SPI" message on the traffic-receiving side during IPsec Security Association (SA) rekey. PR1031890 • On all SRX Series devices, in AutoVPN configuration after reboot, the VPN tunnel might not come up and an error with the private key is reported. PR1032840 • On all high-end SRX Series devices with policy-based IPsec VPN configured, deleting security policies that are associated with a VPN tunnel might result in a stale VPN tunnel remaining. In addition, the tunnel might be associated with the newly added security policies. PR1034049 • On all SRX Series devices, when a primary IP address of an interface changes, some IPsec tunnels terminated on that interface might go down. PR1044620 Copyright © 2015, Juniper Networks, Inc. Resolved Issues Resolved Issues 12.1X47-D15 Application Layer Gateways (ALGs) • On all SRX Series devices, when there is heavy SIP traffic through the device, high CPU usage is seen on one or more SPUs. This issue occurs due to a certain type of SIP-handling logic, which dumps payload packets to the internal buffer. This logic has been optimized to reduce load on the SPU. PR985932 • On all SRX Series devices, when ALG processes the SIP traffic, a memory corruption issue might occur and crash the flowd process. PR992478 • On all SRX Series devices in a chassis cluster with the PPTP ALG enabled and the PPTP session closed, a memory corruption might occur on the secondary node, which causes the flowd process to crash. PR993447 • On all SRX Series devices, If the Sun RPC trace is enabled, a core file is generated on the secondary node when you upgrade through ISSU. PR998245 • On all SRX Series devices with MS-RPC ALG enabled, occasionally, when more than one IP and port pair exist in the MS RPC response packet, and if these IP and port pair are same, the ALG group might leak. This issue might occur even in a Sun RPC scenario. PR1010499 • On all SRX Series devices with SIP ALG enabled, when either retain-hold-resource and NAT are configured or retransmission of 183 session progress messages with SDP occurs (the first transmission did not have SDP), the SIP ALG incorrectly changes the IP address that is embedded inside the media payload to zero, causing a call failure. PR1016969 • On all SRX Series devices, in certain situations, the H.323 ALG incorrectly handles translation because the stored position is not initialized properly. As a result, H.323 endpoints registration failure and call failure occur. PR1023528 Certificate Authority (CA) • When the PKI certificate expires at a later date, the output of the show security PKI ca-certificate detail command incorrectly shows "Not after: time not determined UTC" under the Validity field. PR878036 Chassis Cluster • On all branch SRX Series devices, in dual fabric link chassis clusters, when the control link and one fabric link go down, the chassis cluster goes into a "split brain" condition in which both nodes become primary. With one fabric link up, the secondary node of the chassis cluster goes into an ineligible state and then into the disabled state. PR989548 • On all high-end SRX Series devices, when you use the maximize-cp-sessions option, it decreases the amount of memory available for other functions. Therefore, the SPUs might not reach the published maximum number of supported VPN tunnels when the maximize-cp-sessions option is configured. PR1027761 Copyright © 2015, Juniper Networks, Inc. 49 Junos OS 12.1X47 Release Notes Flow-Based and Packet-Based Processing • On all high-end SRX Series devices, the name of the ICMP6 big packet is changed to junos-icmp6-packet-too-big instead of junos-icmp6-packet-to-big. PR917007 • On all high-end SRX Series devices, when IPsec is enabled, AppQoS does not apply the rate limiter for egress traffic. PR918942 • On all SRX Series devices, under certain conditions, the creation of a multicast leaf session might result in an invalid multicast next hop, which crashes the flow module. PR921438 • On all branch SRX Series devices, multicast traffic might cause memory leak on the data plane. PR947894 • On all SRX Series devices, CoS buffer sizes are not recalculated after you delete the interface units, and this might result in suboptimal CoS behavior. PR953924 • On all high-end SRX Series devices, the IPv6 traffic is reordered during the encryption of IPsec VPN because the fragment order is not maintained for the IPv6 traffic. PR962600 • On all high-end SRX Series devices in a chassis cluster, the CPU loading of the SPC’s new backup node might go higher after a data plane failover because of packets in an infinite loop between the nodes. PR963033 • On all branch SRX Series devices with selective stateless packet-based services configured, self-traffic generated on custom routing instances will be dropped if it is forwarded in packet-based mode. PR968631 • On SRX5400, SRX5600, and SRX5800 devices configured with SPC II cards, memory leak might occur on the SPC II Control Plane Processor (CPP), causing the SPC II CPP to reboot. PR975345 • On all SRX Series devices (except the SRX110) in a chassis cluster, the flowd process might crash when it receives corrupted real-time objects (RTOs). PR981301 • On SRX240, SRX550, and SRX650 devices, in certain circumstances, packets might go out of order or be dropped by the device. This issue affects multithreaded branch SRX Series devices and typically occurs in mixed traffic (TCP or UDP) environments. PR977614 • On all SRX Series devices in a chassis cluster, when you terminate the GRE tunnel over IPsec VPN, sessions through the GRE tunnel are deleted unexpectedly when the session that is installed on the backup node times out, which is normally at eight times the session timeout. PR982880 • On all SRX Series devices, the flow serialization impacts session performance for IDP, AppSecure, ALG, GTP, or SCTP, and it continues even after Layer 7 processing is completed. PR986326 • On all branch SRX Series devices, due to an indirect next-hop change, memory corruption occurs in the flow route lookup table, causing the flowd process to crash. PR988659 50 Copyright © 2015, Juniper Networks, Inc. Resolved Issues • On all high-end SRX Series devices, when fragmented packets are processed, the first fragment (the fragment contains Layer 4 information) is used to create the session, and the subsequent fragments are queued on a memory block. During session creation, the queued fragments might be processed for flow processing even though the session is still in pending state. As a result, order information is lost and the fragmented packets are forwarded out of order. PR993925 • On all SRX Series devices, the logical tunnel interface encapsulated Frame Relay is not supported. When you configure logical tunnel interface encapsulated Frame Relay, the flowd process crashes. PR996072 • On all SRX Series devices with integrated user firewall feature enabled, when there are 100,000 or more authentication entries, deactivating the useridd process might cause the flowd process to crash. PR996159 • On all high-end SRX Series devices, when an equal-cost multipath (ECMP) route is installed in the forwarding table and is used by the flow module, and if a better route is available for the flow module or a subset of the ECMP route is pointing to the flow module, the flow module does not reroute to use the better route for existing sessions. PR996729 • On all SRX Series devices, when functions using TCP proxy are enabled (for example, TCP- based ALGs FTP, H323, MGCP, MS RPC, PPTP, RSH, RTSP, SCCP, SIP, SQL, SUN RPC, and TALK; UTMs and TCP proxy screens such as SYS-ACK-ACK proxy flood and SYN flood), the TCP packets might be held for a long time in mbuf for TCP proxy processing. The system treats this situation as a memory leak, which causes the flowd process to crash. PR999416 • On all branch SRX Series devices, when the classifier is set based on EXP bits and the ingress logical interface is a VLAN tagged interface and not unit 0, the classifier uses the default logical unit 0's classifier instead of the configured classifier queues, which forwards the MPLS traffic to the unintended egress queues. PR1002325 • On all SRX Series devices, when the packet-capture option is configured on the egress interface and a multicast stream is sent through the device, the multicast traffic might not be captured. PR1005116 • On all high-end SRX Series devices, the flowd process crashes due to a cache error. PR1005195 • On SRX240H2, SRX240H2-POE, and SRX240H2-DC devices, the IDP cannot process any traffic due to incorrect setting of flow sessions. PR1011057 • On all high-end SRX Series devices (except SRX1400), fragmented IPsec packets might be out of order after decryption, causing a TCP packet retransmission and performance degradation. PR1013223 • On all high-end SRX Series devices, when the central point runs in combo mode on an SPC I card and enable-utm-memory and in-line-tap IDP mode are enabled concurrently, the flowd process crashes continuously. PR1019568 • On all high-end SRX Series devices, in some scenarios, the flowd process might generate core files due to stack overflow while running a log collection script (for example, the shell script which sends various CLI and VTY commands) on the device. PR1020739 Copyright © 2015, Juniper Networks, Inc. 51 Junos OS 12.1X47 Release Notes • On all SRX Series devices, the flowd process might crash while applying a CoS filter for the host outbound traffic. PR1021150 • On SRX5400, SRX5600, and SRX5800 devices with SRX5K IOC II, configuring a sampling feature (flow monitoring) might cause a high kernel heap memory usage. PR1033359 Dynamic Host Configuration Protocol (DHCP) • On all high-end SRX Series devices, you cannot get the DHCP relay information through SNMP if DHCP relay is configured under the logical system. For example, bash-3.2# snmpwalk -c lsys1/default@junos -t 5 -v 1 -Os -Oq -Oe -Pu -m /tmp/jnx-smi.mib:/tmp/jnx-jdhcp.mib 10.208.131.136 jnxJdhcpRelayStatistics PR909906 • On all high-end SRX Series devices, the DHCP server option-82 does not work. PR949717 • On all high-end SRX Series devices, the DHCP server SNMP information cannot be displayed in the logical system. PR956597 • On all branch SRX Series devices, if the DHCPv6 client is configured for the PPPoE interface and the pp0 interface is disabled and enabled, the pp0 interface does not acquire the IPv6 address from the DHCPv6 server. PR998712 General Packet Radio Service (GPRS) • On all high-end SRX Series devices with GTP enabled, some GTP traffic might be dropped due to the reason message Reason zero TID/TEID. This is because some GTP messages do not contain TEID value in the GTP message header (such as Identification Response messages), and these messages are dropped incorrectly. PR999468 Interfaces and Routing • On SRX650 devices, the VLAN interface is down after a reboot. PR969079 • On all SRX Series devices, the interface monitoring option causes an unexpected RG0 failover during the system reboot. This is because the interface monitoring option is only applicable to the data-plane interface and it should not be associated with the RG0, which represents control-plane redundancy. Enabling the interface monitoring option under the RG0 is not supported on high-end SRX Series devices. PR970023 • On SRX550 and SRX650 devices with WAN cards installed, if an interface is configured for Ethernet switching mode and forwarding traffic, traffic processing might exhaust the mbuf pool. As a result, an interprocess communication (IPC) issue can occur, causing the WAN cards to go offline randomly. PR972332 Intrusion Detection and Prevention (IDP) 52 • On all high-end SRX Series devices, Duplicate FLOW_IP_ACTION logs are generated while sending traffic. PR959512 • On all SRX Series devices, when you configure an automatic security package update without configuring the schedule interval and start time, high CPU usage on the idpd process is seen. PR973758 Copyright © 2015, Juniper Networks, Inc. Resolved Issues • On all SRX Series devices, when you upgrade from any Junos OS release to Junos OS Release 12.1X47-D15 with custom IDP attacks using custom nested applications, the mgd process commit fails. PR999282 • On all SRX Series devices, the custom dynamic group with the service TCP filter or the service UDP filter does not include TCP or UDP port-bound attack signatures. The following error message is displayed: 'dynamic-attack-group OTHER-PROTO-REC-CTS’ Attack TCP-PROTO-REC-CTS: No matching members found. Group is empty error: configuration check-out failed However, the group should not be empty, because of the configured queries of the custom dynamic group. PR1002526 • On all SRX Series devices, the Network Security Daemon (NSD) process might crash, causing the show security match-policies command to generate multiple core files. This is because the policy database does not synchronize between the Routine Engine and the Packet Forwarding Engine. PR1003099 J-Web • On all SRX Series devices, when you open several connections to J-Web from the same IP address, the HTTP process might hang and J-Web becomes unresponsive. PR974042 • On all high-end SRX Series devices, no data is displayed for monitor-nat-source-resource usage. PR995880 • On all branch SRX Series devices, pagination does not work when more policies are configured. PR996545 • On all SRX Series devices, the serial number and the system uptime are not displayed in the Dashboard. PR1009371 • On all SRX Series devices, J-Web does not work with Firefox version 31. A blank screen is displayed after you log in. PR1015430 Network Address Translation (NAT) • On all SRX Series devices, in rare cases, the device starts using sequential source ports for source NAT because of random function memory corruption. PR982931 • On all high-end SRX Series devices, when you add a /96 IPv6 address to the host address of the deterministic NAT pool, an nsd core file is generated when you commit the configuration. PR985511 • On all SRX Series devices in a chassis cluster, when source NAT is configured with a port no-translation pool and a port overflow pool with address persistent feature, the port resource of the overflow NAT pool leaks on backup node when the translated IP address creates conflict on the port no-translation pool. PR991649 Copyright © 2015, Juniper Networks, Inc. 53 Junos OS 12.1X47 Release Notes Platform and Infrastructure • On SRX650 devices, when you execute the show security nat static rule all command continuously, the following message is displayed: kern.maxfiles limit exceeded by uid 0 PR721715 • When devices were configured to use RADIUS authentication, if the user-permission string sent from the RADIUS server was longer than 129 characters, the device failed to process the user-permission string. This resulted in user permissions being set incorrectly. PR736331 • On all SRX Series devices, every time a user logs in with SSH, a veriexec: fingerprint mismatch message is reported in the log. PR929612 • On all high-end SRX Series devices, there is some buffer leak in Application Delivery Controller (ADC) and Transparent Load Balancer (TLB) services due to the malfunction of atomic functions. PR934768 • On all SRX Series devices, when a PKI certificate is manually loaded without an absolute path given for the filename, the system defaults to the /var/tmp directory instead of the current working directory. PR954114 • On all high-end SRX Series devices in a chassis cluster with IPsec over the reth interface, the traffic from self to st0 interface might be dropped when the primary node of the RG0 is in Packet Forwarding Engine restart processing. PR955999 • On all high-end SRX Series devices, when you use dual control link and LACP and if the first control link goes down, the LACP goes down on the secondary node for redundancy group 0. The secondary node might be the primary node for a data plane redundancy group (1+) and carries the traffic. Hence, the traffic might be interrupted. PR958841 • The SRX3400 device supports a maximum of two NPCs when multiple NPCs are inserted. The NPC in slot 5 is not initialized completely, and only one NPC in either slot 6 or slot 7 is functional. PR963427 • On all SRX Series devices, leading spaces are incorrectly added before the numerical value of <time-to-expire> element in the show arp expiration-time | display command output. PR974410 • On SRX220 and SRX550 devices, you can configure a maximum of 250 connections as connection-limit. However, 250 connections cannot be established. To set the maximum-connection-limit, use the set system services telnet connection-limit command. PR976318 • On all SRX Series devices, due to a communication error between the master agent (snmpd process) and the subagent (mib2d process), the device fails to register some MIBs. For example, the following commands do not display any output when you run the command: user@hostname>show snmp mib walk ifTable user@hostname:~$ snmpwalk -v 2c -c snmp@exp X.X.X.X ifAlias 54 Copyright © 2015, Juniper Networks, Inc. Resolved Issues The following message is displayed: IF-MIB::ifAlias= No Such Object available on this agent at this OID. This means the OID is not registered. PR978535 • On all high-end SRX Series devices with multicast enabled, frequent multicast route changes might cause a JTree memory leak on the SPC. If the SPC runs out of JTree memory, routing information might not be updated on the Packet Forwarding Engine, causing traffic loss. The following log message is displayed when JTree memory is running on the device: node1.fpc7.pic0 RSMON: Resource Category:jtree Instance:jtree0-seg0 Type:free-pages Available:1 is less than LWM limit:1638, rsmon_syslog_limit(). PR979712 • On all high-end SRX Series devices in a chassis cluster, the backup node should not send SNMP traps. PR982777 • On SRX5400, SRX5600 and SRX5800 devices, the authentication header packet is dropped in SRX5K IOC II after the ID sanity check due to inner protocol processing. PR986880 • On SRX5400, SRX5600, and SRX5800 devices, after fabric reconnect, the fabric plane displays the Link error message after the fabric plane is online or offline. PR990679 • On all high-end SRX Series devices, session ager might gets stuck due to a memory corruption, causing maximum session limitation to be reached on SPUs. PR991011 • On all SRX Series devices, when you use netconf or Junos OS scripts to manage the device, the management process gets stuck in a loop, causing high CPU usage. PR991616 • On all SRX Series devices, when you upgrade the device using ISSU, the system displays the following log messages: • May 22 16:54:05 srx5k-1 node1.fpc11 XETH(11/0) : Cannot find service table entry ptr xeth_get_scheduler_numbers • May 22 16:54:05 srx5k-1 node1.fpc11 XETH(11/0):xeth_get_ifd_member_rate_limit_stats(ge-23/0/0): No scheduler found for ifl:81 • May 22 16:54:05 srx5k-1 node1.fpc11 XETH(11/0) : Cannot find service table entry ptr xeth_get_scheduler_numbers • May 22 16:54:05 srx5k-1 node1.fpc11 XETH(11/0):xeth_get_ifd_member_rate_limit_stats(ge-23/0/0): No scheduler found for ifl:81. PR995928 • On SRX100, SRX110, and SRX210 devices, no events are displayed when the temperature of the chassis exceeds the thermal threshold value. PR999888 • On all high-end SRX Series devices in a chassis cluster with interface monitoring enabled, interfaces might be incorrectly monitored as down due to a memory allocation issue. PR1006371 Copyright © 2015, Juniper Networks, Inc. 55 Junos OS 12.1X47 Release Notes • On SRX5400, SRX5600, and SRX5800 devices with an SRX5K IOC II, the SRX5K IOC II might send packets out of order, causing end-to-end performance degradation. PR1007455 • On SRX3400 or SRX3600 devices in a chassis cluster, the FPC 0 Minor Errors alarm is raised because of the excessive invalid pkt type errors reported by the Network Processing Card (component). PR1008968 • On SRX1400, SRX3400, and SRX3600 devices configured with firewall simple filters, if you change the simple filter terms, some terms might not be installed properly in the data plane. As a result, the simple filter might not work as expected. PR1012606 • On all SRX Series devices, when a new user is created, the home directory for the user is not created. PR1015156 Screens • On all high-end SRX Series devices with flooding type screens configured, if multiple logical interfaces on the same network processing unit (NPU) have been configured in the same zone, then changing the flooding thresholds might cause each of these logical interfaces to have inconsistent thresholds, and sometimes some logical interfaces might not have any screen flood protection at all. PR972812 System Logging • On all high-end SRX Series devices, when the syslog option is configured under the [logical system] hierarchy, the system logs are not turned over correctly, some of the files in the /var/log directory are not compressed, and some of the files are compressed with only two lines. PR980061 • On all high-end SRX Series devices, when you configure multiple stream mode under the [security log] hierarchy and one of the stream modes is set to severity warning, the system log traffic on the other streams is stopped. PR1009428 Unified Threat Management (UTM) 56 • On all branch SRX Series devices with the UTM Kaspersky antivirus (KAV) option enabled, the chunked HTTP traffic might be terminated unexpectedly by the client due to incorrect content sent by the branch SRX Series devices. As a result, the whole page or partial content is not displayed in the client browser. PR971895 • On all SRX Series devices with UTM content filtering enabled, when the filename extension value is set to .com to block the URLs, the content filtering feature incorrectly treats the <searchpart> as a path and blocks the URLs ends with .com. PR1008108 Copyright © 2015, Juniper Networks, Inc. Resolved Issues VPN • On all SRX Series devices, in certain situations when the device has more than one IKE Security Association (SA) installed for the same peer device and Dead Peer Detection (DPD) is triggered, the messages are not sent out from the device to the peer device, causing the IKE SA to be installed on the device until the IKE SA expires. PR967769 • On all SRX Series devices, when the device is configured with similarly named CA profiles (for example, caprofile, caprofile_1, caprofile_3 and so on) and CA certificates are loaded to these profiles, when first CA certificate is cleared other certificates which has the CA profile that starts with the same keyword will be cleared as well. PR975125 • On all SRX Series devices, dynamic VPN user groups are not able to access certain remote resources. In this scenario, there are two policies referring to the same dynamic VPN and one of the policy directions is not set. Hence, the lookup fails in the null policy at the end. PR988263 • On all SRX Series devices deployed in a hub-and-spoke VPN scenario as a hub point with dynamic endpoint VPN (DEP VPN) spokes, if and manual NHTBs are configured, changing (adding or deleting) NHTBs might cause other NHTBs to be deleted and existing tunnels to go down. PR1001692 Copyright © 2015, Juniper Networks, Inc. 57 Junos OS 12.1X47 Release Notes Resolved Issues 12.1X47-D10 Application Layer Gateways (ALGs) • On SRX Series devices with the VoIP-related ALG (either H.323 or SIP) and NAT enabled for the VoIP traffic, the corresponding ALG creates persistent-nat-binding entries for the reverse VoIP traffic (even though the persistent NAT feature is not configured in the source NAT rule) when VoIP traffic is transmitted into a custom routing instance. Hence, the system does not apply the custom routing instance information to the persistent-nat-binding entries, and the reverse traffic that matches the persistent-nat-binding entries is forwarded to the default routing instance instead of to the custom routing instance. The reverse traffic is dropped or forwarded to the wrong place. PR924553 • On all SRX Series devices, the REAL ALG is not supported, but you can configure it from both the CLI and J-Web. PR943123 • On all SRX Series devices with the SCCP ALG enabled, the SCCP ALG drops packets with unknown message identification. In a NAT scenario, the SCCP ALG performs NAT for different SCCP messages with different NAT results, and data traffic is dropped. PR952180 • On all SRX Series devices, a flowd core file is generated because of a malformed SIP packet. PR956157 • On all SRX Series devices, the Microsoft Active directory or Microsoft Outlook client might get disconnected from the server because the MS-RPC ALG incorrectly drops the data connections under heavy load. PR958625 • On all SRX Series devices, when the ALG receives IPv6 payload information for processing and if the IPv6 flow mode is not enabled on the device, the flowd process might crash. PR964817 • On all SRX Series devices, when RTSP ALG traffic passes through the routing-instance type virtual-router, traffic is dropped. PR979899 Authentication and Access Control 58 • On all SRX Series devices, when Web authentication is enabled using the SecurID authentication, it will fail if there is a change in the DNS server configuration. The authd process causes the old DNS server to send the DNS request. PR885810 • On SRX Series (except the SRX110) devices in a chassis cluster working as a Unified Access Control (UAC) enforcer, when RG0 failover occurs, the Packet Forwarding Engine might connect to the uac process before the uac process connects to the UAC server. In this condition, the uac process conveys to the Packet Forwarding Engine that the UAC server is disconnected. When the Packet Forwarding Engine receives this information, it denies new traffic that matches the UAC policies. The traffic is resumed after the connection of the uac process and UAC server is established. PR946655 • On all SRX Series devices, the application firewall module might cause the Network Security Daemon (NSD) to create up to 4 KB of memory leak when you commit each configuration. PR969107 Copyright © 2015, Juniper Networks, Inc. Resolved Issues Chassis Cluster • On all SRX Series devices in a chassis cluster, the dcd process causes memory leak on the Routing Engine when you configure a reth interface (that is, activate, deactivate, delete, or add a reth interface). PR893759 • On all SRX Series devices in a chassis cluster, when you download the IDP signature database from the primary node, it is not synchronized to the secondary node. PR914987 • On all high-end SRX Series devices in a chassis cluster, in certain IPv6 configurations, the SPU sends out packets with an invalid header on the secondary node, which in turn triggers a hardware monitoring failure on the secondary node. PR935874 • On all branch SRX Series devices in a chassis cluster, an identical address found on both private and public interfaces, and a kernel panic occurs after RG0 failover. PR937438 • On all SRX Series devices (except the SRX110) in a chassis cluster, in certain conditions, the chassis cluster fabric link hello packet might be corrupted, causing the flowd process to crash. PR939828 • Due to logic problems with the next-generation SPC nvram component, sometimes the central Packet Forwarding Engine processor tries to yield a thread during an interrupt-disable scenario. This operation causes the central Packet Forwarding Engine processor to hang, and the flexible PIC concentrator is marked as offline. As a result, the chassisd detects the flexible PIC concentrator as being down and resets all flexible PIC concentrators, causing failover in chassis clusters. PR940392 • On all branch SRX Series devices, the counter for incoming traffic on a fabric interface (used for chassis cluster) always shows zero (0). PR949962 • In Junos OS Release 12.1X46-D10 and earlier, in a chassis cluster environment, when a secondary node failed, no notification was sent to report the secondary node failure. Starting in Junos OS Release 12.1X47-D10, in a chassis cluster mode, the primary node sends the SNMP generic event trap to report failures on the primary node and the secondary node. PR953639 • On all SRX Series devices (except the SRX110) in an asymmetric chassis cluster scenario, the secondary node (for example, node 1) uses a local interface to back up the interface in the primary node (for example, node 0). If there is a route change, then the traffic is sent to the egress from the backup interface, which is the local interface of node 1. After the route resumes, the traffic is sent back to the egress from the primary interface, which is the local interface of node 0. The session related to the route change is in active state on both the nodes. Traffic might be interrupted when the session times out on the backup node and the session on the primary node is deleted. PR951607 • On all branch SRX Series devices, the G-ARP replies do not update the existing MAC address entry. When the MAC address timer expires, a new MAC address is updated. PR953879 • On all SRX Series devices (excluding SRX110 devices) in a chassis cluster, when the secondary node becomes ineligible due to control link failure and it might still forward Copyright © 2015, Juniper Networks, Inc. 59 Junos OS 12.1X47 Release Notes the traffic. This causes the reth interface to flap and the related traffic to drop when the secondary node is in ineligible state. PR959280 • On SRX5400, SRX5600, and SRX5800 devices in a chassis cluster, when you disable LACP on a reth interface, the related route's next hop remains in the hold state. PR960994 • On all SRX Series devices (excluding SRX110 devices) in a chassis cluster, after the primary node power cycle, the Flexible PIC Concentrators (FPCs) on both the nodes might lose the connection to the new primary Routing Engine, causing the FPCs on both the nodes to get stuck in present state. PR961351 • On SRX3600 devices, the fabric-link becomes down when you execute manual failover using the request chassis cluster failover redundancy-group 0 node 0 command. PR965077 Dynamic Host Configuration Protocol (DHCP) • SRX100 devices send the same DHCP packets twice, but the SRX220 devices send the DHCP packets only once. PR894760 • On all SRX Series devices, you cannot get the DHCP relay information through SNMP if DHCP relay is configured under the logical system. For example, bash-3.2# snmpwalk -c lsys1/default@junos -t 5 -v 1 -Os -Oq -Oe -Pu -m /tmp/jnx-smi.mib:/tmp/jnx-jdhcp.mib 10.208.131.136 jnxJdhcpRelayStatistics bash-3.2#. PR909906 • On all SRX Series devices, in the DHCPv6 client command description, the word stateful was misspelled as statefull. It is changed to stateful in the description; however, the keyword is retained as statefull to avoid incompatibility. PR924692 • On all high-end SRX Series devices, after you configure DHCPv6 in IPv6 mode, the dhcpv6 process crashes. PR940078 • On all high-end SRX Series devices, DHCPv6 does not work in IPv6 mode. PR942246 • On all high-end SRX Series devices, the DHCP server on the device gives the same IP address to two different hosts and both hosts are active in the MAC binding table, causing a connectivity issue. This issue might occur if the DHCP server receives a DHCP INFORM packet from a binding client and a DHCP RELEASE packet from the same client. PR969929 Flow-Based and Packet-Based Processing 60 • On SRX220H2 devices, the TCP connection rate might drop by 15 percent. PR898217 • On SRX100H2 devices, the device reboots unexpectedly and multiple core files are generated due to a DDR2 memory timing issue between DRAM and the CPU. The symptoms include flowd core files, core files from other processes (for example, snmpd, ntpd, and rtlogd), and silent reboot without core files and system freeze. These core files are related to RAM access (for example, pointer corruption in session ager ring entry), and there are no consistent circumstances that cause these core files to be generated. PR923364 Copyright © 2015, Juniper Networks, Inc. Resolved Issues • On all SRX Series devices, when you run the clear security flow session command with a prefix or port filter, some of the sessions are not matched with the filter, causing a traffic drop or delay. This issue is triggered by any of the filters. PR925369 • On all branch SRX Series devices, in some cases, the ARP response is not accepted when the frame size is above the common value (for example, when the frame was padded by intermediate Layer 2 devices). PR927387 • On all SRX Series devices configured with IDP, for the AppSecure, ALG, GTP, or SCTP features that require serialization flow processing, the memory buffer might leak, causing the flowd process to crash. PR930728 • On all SRX Series devices, when loading a configuration in private mode, the annotated message statement is truncated to 1024 characters. PR930834 • On all SRX Series devices, if GRE tunnel configuration is committed without a correct route to the tunnel destination, the GRE tunnel session will bind the wrong anchor interface (the GRE tunnel outgoing interface) by route lookup. This anchor interface will not be updated even after the route is corrected when you commit the subsequent configuration. PR933591 • On all SRX Series devices, the indirect next hop for ECMP is not supported. PR935867 • On all SRX Series devices (except the SRX110) configured in a chassis cluster, under certain conditions, the flowd process might crash during the cold synchronization process. PR936014 • On all high-end SRX Series devices, in certain circumstances, high CPU consumption on the data plane and eventual exhaustion of the internal system buffers might corrupt the forwarding table, causing partial traffic drops. PR938742 • On all SRX Series devices, when IKE packets are received before Junos OS default applications are pushed to the Packet Forwarding Engine, the IKE sessions will be established without the IKE application having been marked. As a result, the fragmented IKE packet cannot be sent to iked, because the IKE session has not used IKE applications. PR942730 • On all SRX Series devices, if the first packets of a single session come from both directions at the same time, the application information on the session is corrupted during session installation and the flowd process crashes. PR942877 • On all SRX Series devices, when the device is in packet mode, after you change an interface configuration, the warning message warning: You have changed inet flow mode; You must reboot the system for your change to take effect is displayed. The same message is displayed on every commit until the next reboot. This message can be safely ignored. PR949472 • On SRX240, SRX550, and SRX650 devices, when the device receives a TCP rest (RST) and a FIN (the second FIN of the session) at the same time for a session, the RST and the FIN packet might get processed by different threads. As a result, the session time out updates incorrectly, and the session remains on the session table for 150 seconds. PR950799 Copyright © 2015, Juniper Networks, Inc. 61 Junos OS 12.1X47 Release Notes • On all SRX Series devices, the flowd process might crash when the system performs persistent NAT function for ALG traffic. This is because of lack of memory to allocate for persistent NAT bindings. PR951011 • On all SRX Series devices, when RG0 failover is triggered, the old RG0 primary device reboots or both devices reboot. PR953723 • On SRX240, SRX550, and SRX650 devices, in certain situations, flow sessions time out and get corrupted. This leads to the flow sessions being set to an abnormally high value, which eventually leads to the session table becoming full. PR955630 • On all high-end SRX Series devices, the flowd process might crash during the session installation. PR956775 • On all SRX Series devices, SSH connection is not possible between Cisco devices running IOS version 15 or later and SRX Series devices running Junos OS Release 11.2 or later. PR957483 • On all SRX Series devices, in a site to site VPN scenario, when the device is configured as an IPsec initiator, the flow session time out is refreshed by the reroute packet. This causes an old session to remain in the session table, the VPN connection not to recover, and packet drops to occur. PR959559 • On all branch SRX Series devices, when you configure an ICMP probe-server option under the [services rpm] hierarchy for a specific interface (for example, ge-0/0/0), the device does not respond to ICMP requests from this interface. Other interfaces are not affected and can continue to respond to ICMP requests. PR960932 • On all SRX Series devices, when you reboot the passive node, the CPU usage increases on flow SPUs of the primary node and this lasts for a few seconds when the traffic latency is increased. PR962401 • On all SRX Series devices, filter-based forwarding (FBF) rules are ignored when existing sessions are rerouted. PR962765 • On all branch SRX Series devices with IP spoofing screen enabled, the routing table search might fail due to the routing table being locked by the system, causing a false positive to an IP spoofing detection. PR967406 • On all high-end SRX Series devices, when you send SCTP packets to test the capacity, the SCTP packet might generate a core file. PR968951 • On all SRX Series devices, white spaces are not supported in the PKI certificate name. PR975374 62 • On SRX550 devices, the max flow sessions are configured incorrectly. The devices have larger session capacities than the configured session values. PR977169 • On all branch SRX Series devices, application traffic control rate limiters are unsupported on model H2. PR979901 • On all SRX Series devices, in rare cases, the device starts using sequential source ports for source NAT because of random function memory corruption. PR982931 Copyright © 2015, Juniper Networks, Inc. Resolved Issues General Packet Radio Service (GPRS) • On all SRX Series devices, when you send the 4-way handshake control packets to create associations for the capacity test, a core file is generated. PR980262 Hardware • On SRX550 and SRX650 devices, the SRX-GP-DUAL/QUAD-T1-E1 GPIM might have interoperability issues with the remote CSU using the national standard feature due to the violation of ITU-T recommendation G.704. PR939944 Interfaces and Routing • The counter for incoming traffic on a fabric interface (used for chassis cluster) always shows zero (0). PR520962 • On SRX5600 virtual chassis, when you swap the members of a LAG, a vmcore or ksyncd core file might be generated on the backup Routing Engine. PR711679 • On all SRX Series devices, when you configure and commit IPv6 addresses on a logical interface, the output of the show interface terse command does not reflect the change immediately. PR802229 • SRX5800 devices might log the Bottom Fan Tray Unable to Synch message. However, this message can be ignored. PR833047 • On all branch SRX Series devices with 3G wireless modems, the 3G dialer interface dl0.0 might get stuck in the down link state. PR855897 • On SRX550 devices, the T3/E3 FPC goes offline after provisioning a switched port on ge-0/0/0 interface. PR919617 • On SRX Series devices with the 3G USB wireless modem, when the signal is low, the 3G cellular modem interface (cl-0/0/*) displays the status as Connected even though there is no signal or there is a low signal with no network connection. This is because there is no mechanism for the wireless WAN process to notify the Routing Engine of the status change even though the Packet Forwarding Engine is notified. After the signal recovers, the 3G cellular modem interface is not able to dial again. PR923056 • On all high-end SRX Series devices, the show interface extensive command is cut short with the error message error: route rpf stats get for interface. PR930630 • When IS-IS is configured between the SRX Series device and some third-party devices, after the SRX Series device is rebooted and the IS-IS adjacency is reestablished, the routes advertised by the third-party devices might not install into the routing table in some cases. PR935109 • On SRX550 devices with DS3/E3 interfaces, the external clocking option is disabled to overcome the limitation present in the hardware to support this clocking option. With the revised version of hardware, the external clocking limitation has been fixed. Hence the external clocking option is reenabled. PR936356 • On all SRX Series devices, deactivating static routes can lead to deactivation of other configuration sections. PR939712 Copyright © 2015, Juniper Networks, Inc. 63 Junos OS 12.1X47 Release Notes • On all SRX Series devices, modifying a policy element that is deactivated by the policy scheduler leads to problems in searching the policy tree in memory. An incorrect policy match occurs after the policy is reactivated by the scheduler. PR944215 • On all branch SRX Series devices with interfaces encapsulated with ethernet-ccc, when you connect to an ae interface with LACP enabled, the LACP packets do not pass through the ethernet-ccc encapsulated interface. PR945004 • On SRX100B2, SRX100H2, SRX210B, SRX210HE2, SRX210HE2POE, SRX220H2, SRX220H2POE, SRX240B, SRX240B2, SRX240H2, and SRX240H2POE devices, the Point-to-Point Protocol over Ethernet (PPPoE) feature session is disconnected or the connection is not available. PR956307 • On SRX210 and SRX220 devices, certain jumbo frames are dropped even though the MTU is set correctly. PR963271 • On all SRX Series devices, the clear security dns-cache command is extended to resolve all DNS entries immediately. Similarly, the security policies containing DNS names are updated immediately to use the refreshed IP addresses after the FQDN addresses are resolved. PR970235 • On all SRX Series devices, when the proxy-ndp feature is enabled on the interface, the entries in the IPv6 neighbor table from the interface might flap. PR970281 • On SRX5400, SRX5600, and SRX5800 devices, the counters displayed in the reth interface are not correct. PR978421 Intrusion Detection and Prevention (IDP) • On SRX Series devices with IDP enabled, high data plane CPU usage occurs in certain SPUs for a few seconds. PR848485 • On all SRX Series devices, when you disable the option idp policy-optimizer using the set security idp sensor-configuration no-policy-optimizer command, the policy fails to load after reboot. PR883258 • On branch SRX Series devices with IDP enabled, when you use the hardware Deterministic Finite Automation (DFA), which is enabled by default on all devices except SRX100 and SRX110 in Junos OS Release 11.4, a false positive might occur for the signature APP:RDP-BRUTE-FORCE. PR911994 • On all SRX Series devices, the new entry or flag representing an alert notification is seen in the system log message. If the alert is configured in the IDP rules, the flag is set to “yes”; otherwise, it is set to “no”. PR948401 • On all high-end SRX Series devices, when the LACP mode is fast and the IDP is in inline-tap mode, a LACP flap might occur when you commit the configuration. PR960487 • 64 On all SRX Series devices, when you upgrade the detector version, the detector kconst value becomes the default value. PR971010 Copyright © 2015, Juniper Networks, Inc. Resolved Issues J-Web • On all SRX Series devices, the httpd process generates a verbose log in the default configuration. PR930723 • On all SRX Series devices, when you make any changes on the J-Web page and try to commit or refresh the page, the operation might time out due to two Asynchronous JavaScript and XML (AJAX) requests being sent out at the same time. The second AJAX request is sent out when the first AJAX request does not receive a response. PR935552 • When you change the password minimum-length characters from 6 to 8, J-Web shows the error message minimum-length is 6. PR942219 • On all SRX Series devices, J-Web does not accept the keyword “any” in the address-book object name. PR944952 • On all SRX Series devices, session logs generated by the global policies are not displayed on the Monitor > Events and Alarms > Security events page or in the policy log window on the Configure > Security > Policy page in J-Web. PR962892 • On all branch SRX Series device, when dynamic VPN is configured, it is not possible to configure the local-certificate or pki-local-certificate options for Web management. A commit error is displayed when these options are configured. Only the self-signed certificate option can be configured. PR969672 • On J-Web, the App-FW page does not show the counter information. PR972473 Network Address Translation (NAT) • On all SRX Series devices, when NAT protocol translation from IPv4 to IPv6 is enabled, a certain crafted packet might cause the flowd process to hang or crash. A hang or repeated crash of the flowd process creates an extended denial-of-service condition for the devices. PR954437 • In Junos OS Release 12.1X46-D10 and earlier, the device could not send the SNMP trap for the NAT pool with logical systems configured. Starting with Junos OS Release 12.1X47-D10, the SNMP trap for the NAT pool with logical systems configuration can be sent from the device. PR959219 • On all high-end SRX Series devices, the source paired address table for the IPv6 PBA pool is not released on the primary node after the session time out. PR975093 Copyright © 2015, Juniper Networks, Inc. 65 Junos OS 12.1X47 Release Notes Platform and Infrastructure • On all high-end SRX Series devices, when the management-ethernet link-down ignore command is configured under the chassis alarm hierarchy, the show chassis alarm command does not display the fxp0: Ethernet Link Down alarm message. However, the following messages might been seen in the logs: craftd[1163]: %DAEMON-3: attempt to delete alarm not in list alarmd[1162]%DAEMON-4: Alarm cleared: RE color=IGNORE, class=CHASSIS reason=Host 0 fxp0: Ethernet Link Down PR749954 • On all SRX Series devices, when you log in to the device, the login process might crash due to abnormal disconnection behaviors. PR802169 • On SRX240, SRX550, and SRX650 devices, when the device receives out-of-order packets while transferring large TCP files, the throughput might be heavily impacted. PR881761 • When GRE is enabled, AppQoS classification, marking, or rate limit does not work for fragmented packets in the client-to-server direction. PR924932 • On all SRX Series devices, when using JDHCP, the server does not respond to the client with the DHCPOFFER packet when it receives the DHCPDISCOVER packet from the client. This causes the authd process to consume a large amount of CPU usage and increase the /mfs partition storage capacity. PR925111 • On SRX5800 device in a chassis cluster, when the device is connected to the Nexus switch, control plane failover occurs. This failover causes the LACP timer to change from slow periodic to fast periodic. PR926019 • On all SRX Series devices, for SCTP IPv6 traffic in traffic logs, all the source and destination ports are marked as port 1. PR928916 • On SRX1400 devices with a SYSIO-XGE IOC cards, the xe-0/0/9 interface might not come up when the cable is reconnected after you upgrade to Junos OS Release 12.1X47-D10. PR929276 • On all SRX Series devices, when the Network Security Daemon (NSD) holds a buffer related to the NAT proxy-arp process, memory leak occurs. This issue occurs when you commit the configuration. PR931329 • On SRX1400 device, if the port ge-0/0/6 plugged in with a SPF-T (part number 740-013111) transceiver, the port might be set to physically down after upgrading to Junos OS Release. PR933751 • On SRX1400, SRX3400, and SRX3600 devices configured in a chassis cluster with a SRX1K3K-NP-2XGE-SFPP card installed, the cold synchronization process might fail in certain SPC cards with the message No response from peer node after 900 tries. PR941845 66 Copyright © 2015, Juniper Networks, Inc. Resolved Issues • On all SRX Series devices containing a large number of next-hop entries, and if the interface flap happens frequently, it might cause the Routing Engine not to allocate the next-hop index, causing the traffic to drop. PR943388 • On all branch SRX Series devices, because of a timing issue, the VLAN interface might fail to add security zone information after the RG0 failover. PR944017 • On SRX5400, SRX5600, and SRX5800 devices with a SRX5K-SPC-4-15-320 (next-generation SPC) installed, the hardware interrupt handler checks the link up or link down status for unused ports in the next-generation SPC internal. The next-generation SPC might cause the Control Plane Processor (CPP) to hang, causing all the Flexible PIC Concentrators (FPCs) to reset. PR959655 • On SRX1400, SRX3400, and SRX3600 devices, high traffic on the fxp0 interface destabilizes the control plane functions. PR962909 Switching • On SRX210 devices running in packet mode, when DSCP marking (32 - 63) is on and the destination MAC in the packet header is present in the SRX ARP table, the devices reply to packets that are not destined to them. On devices in a chassis cluster, you must ensure that packets not destined to the SRX210 do not reach the device. PR950486 System Logging • On SRX3400 and SRX3600 devices, the following system logs are seen in the messages file: sfchip_show_rates_pfe: Fchip Plane 0, dpc 0, pfe <1/2/3>: Invalid dpc These system logs do not affect the device. PR738199 • On SRX5400, SRX5600, and SRX5800 devices, when error-correcting code (ECC) errors occur on IOC or FIOC cards, it is difficult to identify the issue because the error is not being loaded in the device. PR900617 • The error OpenSSL: error:14090086:lib(20):func(144):reason(134) means that server certificate verification has failed. The certificate might be a self-signed certificate or an expired certificate. PR932274 • On all SRX Series devices, the following error message is displayed on system or event logs after you upgrade to Junos OS Release 12.1X47-D10: Can't find ifa on e1-x/0/x.y. This message is harmless and does not affect the E1 interfaces and can be ignored. PR971503 • The SNMP walk for the jnxPicType2ASPCXLP object might fail and shows the jnxPicType2ASPCXLP (could not resolve 'jnxPicType2ASPCXLP' to an OID) error message in the logs and fails to receive information from the device. PR974463 Copyright © 2015, Juniper Networks, Inc. 67 Junos OS 12.1X47 Release Notes Unified Threat Management (UTM) • On all branch SRX Series devices, webpages become unavailable and do not display any content when you enable Sophos antivirus for HTTP traffic. PR906534 • On all high-end SRX Series devices, EWF logs are not marked with user role information. PR936799 • On all branch SRX Series devices with the UTM Kaspersky antivirus (KAV) option enabled, and the intelligent-prescreening option configured, the chunked packet that only contains chunk-size data without any actual data is recognized as an invalid data packet, and the packet is dropped before it passes to the KAV engine in the KAV HTTP proxy processing. PR937539 • On all branch SRX Series devices, when the category action is permit, the result is the category site-reputation-action, and when the category reputation action is not defined, then the results are the global site-reputation action and the default action. This confusion occurs because the explicit permit action is not taken under the specific category. To resolve this problem, you can directly take the configuration-explicit action on the category. If you do not configure any action, then the next global site-reputation action is the result. The category reputation is not used in enhanced Web filtering. PR939352 • On all high-end SRX Series devices, when you install a license, you might see the message license not valid for this product add license failed. Even though the message appears, the feature still functions normally. In addition, the show system license command does not display the Sophos antivirus, antispam, or Web filtering licenses. PR948347 • On all branch SRX Series devices, the test security utm anti-virus command for the antivirus feature does not work due to an Invalid argument error message. PR951124 • On all branch SRX Series devices, when the KAV license expires and a new license is installed, deleting the old license file causes the KAV engine status to change to Not Ready. The deleting event triggers an AV license status update. The utmd process might recognize that the KAV license is not installed and the pattern database is unloaded. PR954590 • On all SRX Series devices with UTM and Sophos antivirus (SAV) service enabled, if source NAT for self-generated traffic is configured, the DNS queries from the UTM SAV service fail as timeouts. PR963978 • On all high-end SRX Series devices, UTM blacklists and whitelists should work without an EWF license. PR970597 VPNs 68 • On all SRX Series devices, when IPsec is enabled, AppQoS does not assign egress traffic to the configured forwarding class. PR753762 • On all SRX Series devices, in a site-to-site IPsec VPN deployments using IKEv2, when tunnels are removed through configuration change, the information is not propagated Copyright © 2015, Juniper Networks, Inc. Resolved Issues to the remote peer. Later, when the peer initiates a normal Phase-1 re-key process, the kmd process crashes and core files are generated. PR898198 • On all SRX Series devices, during VPN configuration change with an interface configuration change at the same commit, or after rebooting the device with VPN and interface configured together, the tunnel sessions created in flowd are missed. This impacts the traffic flow on that tunnel. The invalid bind interface counter returns a nonzero value when you run the show usp ipsec global-stat command. PR928945 • Certificate-based authentication would fail when the RSA signature from the remote peer used SHA-256 as the message digest algorithm. PR936141 • On all SRX Series devices configured with IPsec VPN and with VPN monitor enabled, the VPN monitor function triggers socket leak, and it might result in some critical issue, such as flow SPUs becoming unresponsive. PR940093 • On all SRX Series devices, when IPsec is used in a chassis cluster, after the SPU or flowd uptime reaches 50 days or more, the amount of RTO traffic on the fabric link increases. PR941999 • On all SRX Series devices with multiple proxy-identity (MPID), dead routes are seen while moving the st0 interface from one virtual router to another. PR943577 • On all branch SRX Series devices configured in a chassis cluster with route based IPsec VPN enabled, during RG0 failover to the new primary node, if a route-based VPN does not have IPsec SAs associated with the tunnel, then the bind interface (st0) associated with the tunnel is marked down. The interface remains in down state, causing the VPN traffic to drop. PR944478 • On all SRX Series devices, after traffic-selector configuration is deleted from the VPN configuration object, the data traffic stops passing through the tunnel. PR944598 • On SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices, high CPU usage occurs after installing the additional SPC cards without a full cluster reboot, and IPsec tunnels carry the SCTP traffic anchored on the device. PR945162 • SRX Series devices cannot proceed to automatic certificate reenrollment through SCEP. The certificate validity period is incorrectly calculated during the autorenewal process. Also, when the CRL is downloaded through LDAP, it can be partially received from the CA server and the pkid process goes up. PR946619 • On all SRX Series devices, when there are more than 100 traffic selectors configured on a VPN configuration object along with configured, established, tunnels, if all IPsec SAs for this VPN configuration object are cleared at the same time (because of a configuration change on a peer or the use of the clear operational command), the bind-interface associated with that VPN configuration object might be marked as down. PR947103 • On all SRX Series devices, in a hub-spoke IPsec VPN scenario, when you commit the static NHTB configuration on the multipoint secure tunnel (st0) interface, the VPN routes might become active even though the VPN tunnel is down. This issue also occurs when you reboot the system with static NHTBs and the related static routes are configured. PR947149 Copyright © 2015, Juniper Networks, Inc. 69 Junos OS 12.1X47 Release Notes Related Documentation 70 • On SRX Series devices configured as a route-based IPsec Dynamic End Point (DEP) VPN node, the VPN tunnel interface st0.x link incorrectly remains up when IPsec Security Association (SA) is not established, even though VPN monitoring or establish-tunnels immediately is configured. PR947552 • On all SRX Series devices, IPsec VPN packets are dropped in a chassis cluster Z mode when a fragmentation is required. PR956808 • On all SRX Series devices, any configuration changes to the st0.x interface might delete NHTB entries for unrelated st0 interfaces. PR958190 • On all SRX Series devices, in some situations, if the CRL server is not reachable, a memory leak might occur and show the kern.maxfiles limit exceeded by uid 0 message in console mode. Hence, the device administrator is not able to log in to the device anymore. PR959194 • On all SRX Series devices, disabling anti-replay on a policy based VPN does not take effect immediately but requires kmd process to restart. PR979846 • On all SRX Series devices, IPsec VPN tunnels could not come up due to unavailability of buffer space. PR985494 • On all branch SRX Series devices, in group VPN member, the KMD_PM_IKE_SERVER_NOT_FOUND message appears repeatedly in the kmd log file after rekey.PR991306 • New and Changed Features on page 6 • Changes in Behavior and Syntax on page 23 • Known Behavior on page 30 • Known Issues on page 39 • Documentation Updates on page 71 • Migration, Upgrade, and Downgrade Instructions on page 74 Copyright © 2015, Juniper Networks, Inc. Documentation Updates Documentation Updates This section lists the errata and changes in Junos OS Release 12.1X47-D10 documentation. Documentation Updates for the Junos OS Software Documentation This section lists the errata and changes in the software documentation. IDP Policies Feature Guide for Security Devices • This guide is missing information about new policy templates. Six new IDP Policy templates are added. The new templates have the following features: • They are designed for ease of use and provide balanced performance and coverage. • The new templates include client protection, server protection, and client/server protection. • Each of the new templates has two versions that are device specific, a 1-gigabyte (GB) version and a 2-GB version. NOTE: The 1-gigabyte versions labeled 1G should only be used for devices that are limited to 1 GB of memory. If a 1-GB device loads anything other than a 1-GB policy, the device might experience policy compilation errors due to limited memory or limited coverage. If a 2-GB device loads anything other than a 2-GB policy, the device might experience limited coverage. Use these templates as a guideline for creating policies. We recommend that you make a copy of these templates and use the copy (not the original) for the policy. This approach allows you to make changes to the policy and to avoid future issues due to changes in the policy templates. The complete list of the new IDP policy templates is given in Table 10 on page 72 Copyright © 2015, Juniper Networks, Inc. 71 Junos OS 12.1X47 Release Notes Table 10: New IDP Policy Templates Previously Available Policy Templates Updated/Currently Available Policy Templates root@R1# set security idp active-policy ? Possible completions: <active-policy> set active policy root@R1# set security idp active-policy ? Possible completions: <active-policy> set active policy DMZ_Services DNS_Service File_Server Getting_Started IDP_Default Recommended Web_Server Client-And-Server-Protection Client-And-Server-Protection-1G Client-Protection Client-Protection-1G DMZ_Services DNS_Service File_Server Getting_Started IDP_Default Recommended Server-Protection Server-Protection-1G Web_Server Descriptions of the new IDP policy templates are provided in Table 11 on page 72 Table 11: Descriptions of the New IDP Templates Template Description Client-And-Server-Protection Designed to protect both clients and servers. To be used on high memory devices with 2 GB or more of memory. Client-And-Server-Protection-1G Designed to protect both clients and servers. To be used on all devices, including low-memory branch devices. Client-Protection Designed to protect clients. To be used on high memory devices with 2 GB or more of memory. Client-Protection-1G Designed to protect clients. To be used on all devices, including low-memory branch devices. Server-Protection Designed to protect servers. To be used on high memory devices with 2 GB or more of memory. Server-Protection-1G Designed to protect servers. To be used on all devices, including low-memory branch devices. Multicast Feature Guide for Security Devices Multicast Source Discovery Protocol (MSDP) is not supported on SRX Series devices in any type of custom routing instance. 72 Copyright © 2015, Juniper Networks, Inc. Documentation Updates Various Guides • Some Junos OS user, reference, and configuration guides—for example the Junos Software Routing Protocols Configuration Guide, Junos OS CLI User Guide, and Junos OS System Basics Configuration Guide—mistakenly do not indicate SRX Series device support in the “Supported Platforms” list and other related support information; however, many of those documented Junos OS features are supported on SRX Series devices. For full, confirmed support information about SRX Series devices, please refer to Feature Explorer: http://pathfinder.juniper.net/feature-explorer/select-software.html?swName=Junos+OS&typ=1. Copyright © 2015, Juniper Networks, Inc. 73 Junos OS 12.1X47 Release Notes Related Documentation • New and Changed Features on page 6 • Changes in Behavior and Syntax on page 23 • Known Behavior on page 30 • Known Issues on page 39 • Resolved Issues on page 44 • Migration, Upgrade, and Downgrade Instructions on page 74 Migration, Upgrade, and Downgrade Instructions This section contains the procedure to upgrade Junos OS for the SRX Series. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network. • End-of-Life Announcement for J Series devices and the low-Memory Versions of SRX100 and SRX200 Lines on page 74 • Upgrading and Downgrading Among Junos OS Releases on page 75 • Upgrading an AppSecure Device on page 76 • Network and Security Manager Support on page 77 • Upgrade and Downgrade Scripts for Address Book Configuration on page 77 • Hardware Requirements on page 79 End-of-Life Announcement for J Series devices and the low-Memory Versions of SRX100 and SRX200 Lines Starting in Junos OS Release 12.1X47-D10, the J Series devices and the low-memory versions of the SRX100 and SRX200 lines with less than 2GB memory are discontinued and no longer supported. NOTE: Upgrading to Junos OS Release 12.1X47-D10 or later is not supported on the J Series devices or on the versions of the SRX100 and SRX200 lines with less than 2GB memory. If you attempt to upgrade one of these devices to Junos OS 12.1X47-D10, installation will be aborted with the following error message: ERROR: Unsupported platform <platform-name >for 12.1X47 and higher For the model numbers of the discontinued products, the recommended replacement products, and minimum software requirements for the replacements, see: http://www.juniper.net/support/eol/ If you have any questions concerning this notification, please contact the Juniper Networks Technical Assistance Center (JTAC). 74 Copyright © 2015, Juniper Networks, Inc. Migration, Upgrade, and Downgrade Instructions Upgrading and Downgrading Among Junos OS Releases All Junos OS releases are listed in sequence on the JUNOS Software Dates & Milestones webpage: http://www.juniper.net/support/eol/junos.html To help in understanding the examples that are presented in this section, a portion of that table is replicated here. Note that releases footnoted with a 1 are Extended End-of-Life (EEOL) releases. You can directly upgrade or downgrade between any two Junos OS releases that are within three releases of each other. • Example: Direct release upgrade Release 10.3 → (bypassing Releases 10.4 and 11.1) Release 11.2 To upgrade or downgrade between Junos OS releases that are more than three releases apart, you can upgrade or downgrade first to an intermediate release that is within three Copyright © 2015, Juniper Networks, Inc. 75 Junos OS 12.1X47 Release Notes releases of the desired release, and then upgrade or downgrade from that release to the desired release. • Example: Multistep release downgrade Release 11.3 → (bypassing Releases 11.2 and 11.1) Release 10.4 → Release 10.3 Juniper Networks has also provided an even more efficient method of upgrading and downgrading using the Junos OS EEOL releases. EEOL releases generally occur once a calendar year and can be more than three releases apart. For a list of, EEOL releases, go to http://www.juniper.net/support/eol/junos.html You can directly upgrade or downgrade between any two Junos OS EEOL releases that are within three EEOL releases of each other. • Example: Direct EEOL release upgrade Release 9.3 (EEOL) → (bypassing Releases 10.0 [EEOL] and 10.4 [EEOL]) Release 11.4 (EEOL) To upgrade or downgrade between Junos OS EEOL releases that are more than three EEOL releases apart, you can upgrade first to an intermediate EEOL release that is within three EEOL releases of the desired EEOL release, and then upgrade from that EEOL release to the desired EEOL release. • Example: Multistep release upgrade using intermediate EEOL release Release 8.5 (EEOL) → (bypassing Releases 9.3 [EEOL] and 10.0 [EEOL]) Release 10.4 (EEOL) → Release 11.4 (EEOL) You can even use a Junos OS EEOL release as an intermediate upgrade or downgrade step if your desired release is several releases later than your current release. • Example: Multistep release upgrade using intermediate EEOL release Release 9.6 → Release 10.0 (EEOL) → Release 10.2 For additional information about how to upgrade and downgrade, see the Junos OS Installation and Upgrade Guide. Upgrading an AppSecure Device Use the no-validate Option for AppSecure Devices. For devices implementing AppSecure services, use the no-validate option when upgrading from Junos OS Release 11.2 or earlier to Junos OS 11.4R1 or later. The application signature package used with AppSecure services in previous releases has been moved from the configuration file to a signature database. This change in location can trigger an error during the validation step and interrupt the Junos OS upgrade. The no-validate option bypasses this step. 76 Copyright © 2015, Juniper Networks, Inc. Migration, Upgrade, and Downgrade Instructions Network and Security Manager Support Network and Security Manager (NSM) support for SRX Series Services Gateways with Junos OS 12.1X47-D10 is available only with NSM versions 2012.2R6 / 2012.1R10 and later. For additional information, see Network and Security Manager documentation. Upgrade and Downgrade Scripts for Address Book Configuration Beginning with Junos OS Release 12.1, you can configure address books under the [security] hierarchy and attach security zones to them (zone-attached configuration). In Junos OS Release 11.1 and earlier, address books were defined under the [security zones] hierarchy (zone-defined configuration). You can either define all address books under the [security] hierarchy in a zone-attached configuration format or under the [security zones] hierarchy in a zone-defined configuration format; the CLI displays an error and fails to commit the configuration if you configure both configuration formats on one system. Juniper Networks provides Junos operation scripts that allow you to work in either of the address book configuration formats (see Figure 1 on page 78). • About Upgrade and Downgrade Scripts on page 77 • Running Upgrade and Downgrade Scripts on page 78 • Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases on page 79 About Upgrade and Downgrade Scripts After downloading Junos OS Release 12.1, you have the following options for configuring the address book feature: • Use the default address book configuration—You can configure address books using the zone-defined configuration format, which is available by default. For information on how to configure zone-defined address books, see the Junos OS Release 11.1 documentation. • Use the upgrade script—You can run the upgrade script available on the Juniper Networks support site to configure address books using the new zone-attached configuration format. When upgrading, the system uses the zone names to create address books. For example, addresses in the trust zone are created in an address book named trust-address-book and are attached to the trust zone. IP prefixes used in NAT rules remain unaffected. After upgrading to the zone-attached address book configuration: • You cannot configure address books using the zone-defined address book configuration format; the CLI displays an error and fails to commit. • You cannot configure address books using the J-Web interface. For information on how to configure zone-attached address books, see the Junos OS Release 12.1 documentation. Copyright © 2015, Juniper Networks, Inc. 77 Junos OS 12.1X47 Release Notes • Use the downgrade script—After upgrading to the zone-attached configuration, if you want to revert to the zone-defined configuration, use the downgrade script available on the Juniper Networks support site. For information on how to configure zone-defined address books, see the Junos OS Release 11.1 documentation. NOTE: Before running the downgrade script, make sure to revert any configuration that uses addresses from the global address book. Figure 1: Upgrade and Downgrade Scripts for Address Books Download Junos OS Release 11.2 or later. zone-defined address book Run the upgrade script. zone-attached address book configuration - Global address book is available by default. - Address book is defined under the security hierarchy. - Zones need to be attached to address books. Note: Make sure to revert any configuration that uses addresses from the global address book. g030699 Run the downgrade script. Running Upgrade and Downgrade Scripts The following restrictions apply to the address book upgrade and downgrade scripts: 78 • The scripts cannot run unless the configuration on your system has been committed. Thus, if the zone-defined address book and zone-attached address book configurations are present on your system at the same time, the scripts will not run. • The scripts cannot run when the global address book exists on your system. • If you upgrade your device to Junos OS Release 12.1 and configure logical systems, the master logical system retains any previously configured zone-defined address book configuration. The master administrator can run the address book upgrade script to convert the existing zone-defined configuration to the zone-attached configuration. Copyright © 2015, Juniper Networks, Inc. Migration, Upgrade, and Downgrade Instructions The upgrade script converts all zone-defined configurations in the master logical system and user logical systems. NOTE: You cannot run the downgrade script on logical systems. For information about implementing and executing Junos operation scripts, see the Junos OS Configuration and Operations Automation Guide. Upgrade and Downgrade Support Policy for Junos OS Releases and Extended End-Of-Life Releases Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases. You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 10.0, 10.4, and 11.4 are EEOL releases. You can upgrade from Junos OS Release 10.0 to Release 10.4 or even from Junos OS Release 10.0 to Release 11.4. However, you cannot upgrade directly from a non-EEOL release that is more than three releases ahead or behind. For example, you cannot directly upgrade from Junos OS Release 10.3 (a non-EEOL release) to Junos OS Release 11.4 or directly downgrade from Junos OS Release 11.4 to Junos OS Release 10.3. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release. For more information about EEOL releases and to review a list of EEOL releases, see http://www.juniper.net/support/eol/junos.html . Hardware Requirements Transceiver Compatibility for SRX Series Devices We strongly recommend that only transceivers provided by Juniper Networks be used on SRX Series interface modules. Different transceiver types (long-range, short-range, copper, and others) can be used together on multiport SFP interface modules as long as they are provided by Juniper Networks. We cannot guarantee that the interface module will operate correctly if third-party transceivers are used. Please contact Juniper Networks for the correct transceiver part number for your device. Related Documentation • New and Changed Features on page 6 • Changes in Behavior and Syntax on page 23 • Known Behavior on page 30 • Known Issues on page 39 Copyright © 2015, Juniper Networks, Inc. 79 Junos OS 12.1X47 Release Notes • Resolved Issues on page 44 • Documentation Updates on page 71 Product Compatibility • Hardware Compatibility on page 80 Hardware Compatibility To obtain information about the components that are supported on the device, and special compatibility guidelines with the release, see the SRX Series Hardware Guide. To determine the features supported on SRX Series devices in Junos OS Release 12.1X46-D10, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer at: http://pathfinder.juniper.net/feature-explorer/. Third-Party Components This product includes third-party components. To obtain a complete list of third-party components, see Copyright and Trademark Information. Finding More Information For the latest, most complete information about known and resolved issues with the Junos OS, see the Juniper Networks Problem Report Search application at: http://prsearch.juniper.net. Juniper Networks Feature Explorer is a Web-based application that helps you to explore and compare Junos OS feature information to find the correct software release and hardware platform for your network. Find Feature Explorer at: http://pathfinder.juniper.net/feature-explorer/. Juniper Networks Content Explorer is a Web-based application that helps you explore Juniper Networks technical documentation by product, task, and software release, and download documentation in PDF format. Find Content Explorer at: http://www.juniper.net/techpubs/content-applications/content-explorer/. Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods: 80 Copyright © 2015, Juniper Networks, Inc. Requesting Technical Support • Online feedback rating system—On any page at the Juniper Networks Technical Documentation site at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience. Alternately, you can use the online feedback form at https://www.juniper.net/cgi-bin/docbugreport/. • E-mail—Send your comments to techpubs-comments@juniper.net. Include the document or topic name, URL or page number, and software version (if applicable). Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need postsales technical support, you can access our tools and resources online or open a case with JTAC. • JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/customers/support/downloads/710059.pdf. • Product warranties—For product warranty information, visit http://www.juniper.net/support/warranty/. • JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: • Find CSC offerings: http://www.juniper.net/customers/support/ • Search for known bugs: http://www2.juniper.net/kb/ • Find product documentation: http://www.juniper.net/techpubs/ • Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/ • Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/ • Search technical bulletins for relevant hardware and software notifications: https://www.juniper.net/alerts/ • Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/ • Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/ To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/. Opening a Case with JTAC Copyright © 2015, Juniper Networks, Inc. 81 Junos OS 12.1X47 Release Notes You can open a case with JTAC on the Web or by telephone. • Use the Case Management tool in the CSC at http://www.juniper.net/cm/ . • Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, visit us at http://www.juniper.net/support/requesting-support.html. If you are reporting a hardware or software problem, issue the following command from the CLI before contacting support: user@host> request support information | save filename To provide a core file to Juniper Networks for analysis, compress the file with the gzip utility, rename the file to include your company name, and copy it to ftp.juniper.net/pub/incoming. Then send the filename, along with software version information (the output of the show version command) and the configuration, to support@juniper.net. For documentation issues, fill out the bug report form located at https://www.juniper.net/cgi-bin/docbugreport/. 82 Copyright © 2015, Juniper Networks, Inc. Requesting Technical Support Revision History 24 March 2015—Revision 2—Junos OS 12.1X47-D20 – SRX Series. 03 March 2015—Revision 1—Junos OS 12.1X47-D20 – SRX Series. Copyright © 2015, Juniper Networks, Inc. All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Copyright © 2015, Juniper Networks, Inc. 83