Junos OS 12.1X46-D30 is not recommended with IDP feature due to significant detection rate drop

Product Affected:

SRX100, SRX110, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 running with Junos OS 12.1X46-D30

 
Alert Description:

Due to software DFA (Deterministic Finite Automata), which is used for IDP signature pattern match, code change on Junos OS 12.1X46-D30, IDP detection rate will be dropped significantly when the following conditions are met :

• Upgraded to Junos OS 12.1X46-D30
• IDP feature is configured on a security policy with IDP active-policy
• Software DFA is used

What SRX platforms use the software DFA?

• SRX100, SRX110, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 use software DFA
• SRX210, SRX220, SRX240 SRX550, and SRX650 use hardware DFA

Solution:
This issue is fixed in Junos OS 12.1X46-D31 (Service Release), 12.1X46-D35 (scheduled to be released in end of April, 2015), and later releases.


12.1X46-D31 Download Links

SRX5400/5600/5800

• https://download.juniper.net/cust-svc/srx/junos-srx5000-12.1X46-D31-domestic.tgz
• https://download.juniper.net/cust-svc/srx/junos-srx5000-12.1X46-D31-domestic.tgz.md5
• https://download.juniper.net/cust-svc/srx/junos-srx5000-12.1X46-D31-domestic.tgz.sha1

SRX1400/3400/3600

• https://download.juniper.net/cust-svc/srx/junos-srx1k3k-12.1X46-D31-domestic.tgz
• https://download.juniper.net/cust-svc/srx/junos-srx1k3k-12.1X46-D31-domestic.tgz.md5
• https://download.juniper.net/cust-svc/srx/junos-srx1k3k-12.1X46-D31-domestic.tgz.sha1

SRX100/110

• https://download.juniper.net/cust-svc/srx/junos-srxsme-12.1X46-D31-domestic.tgz
• https://download.juniper.net/cust-svc/srx/junos-srxsme-12.1X46-D31-domestic.tgz.md5
• https://download.juniper.net/cust-svc/srx/junos-srxsme-12.1X46-D31-domestic.tgz.sha1