Junos software release 12.3R6

Junos software release 12.3R6 has been released. The software and documentation are available for download from the Juniper networks software download page.

Product Affected:

All Juniper Networks platforms running Junos Operating System software

Junos :Verifying Antivirus Configurations

General Scan Engine Status

Using the CLI, you can view the following scan engine status items:

Antivirus license key status

• View license expiration dates.

Scan engine status and settings

• View last action result.
• View default file extension list.

Antivirus pattern update server settings

• View update URL (HTTP or HTTPS-based).
• View update interval.

Antivirus pattern database status

• View auto update status.
• View last result of database loading.
• If the download completes, view database version timestamp virus record number.
• If the download fails, view failure reason.

Example status result:

CLI: show security utm anti-virus status

AV Key Expire Date: 03/01/2010 00:00:00

Update Server: http://update.juniper-updates.net/AV/SRX210

interval: 60 minutes

auto update status: next update in 12 minutes

last result: new database loaded

AV signature version: 12/21/2008 00:35 GMT, virus records: 154018

Scan Engine Info: last action result: No error(0x00000000)

Session Status

Using the CLI, you can view the following session status items:

Antivirus session status displays a snapshot of current antivirus sessions. It includes

• Maximum supported antivirus session numbers.
• Total allocated antivirus session numbers.
• Total freed antivirus session numbers.
• Current active antivirus session numbers.

CLI: show security utm session

Verifying Antivirus Scan Results Using J-Web

View antivirus scan results using J-Web as follows:

1. Select Monitor>UTM>Anti-Virus.
   The following information becomes viewable in the right pane.
   Antivirus license key status
   • View license expiration dates.
   Antivirus pattern update server settings
   • View update URL (HTTP or HTTPS-based).
   • View update interval.
   Antivirus pattern database status
   • View auto update status.
   • View last result of database loading.
   • If the download completes, view database version timestamp virus record number.
   • If the download fails, view failure reason.
   Antivirus statistics provide
   • The number of scan request being pre-windowed.
   • The total number of scan request forwarded to the engine.
   • The number of scan requests using scan-all mode.
   • The number of scan requests using scan-by-extension mode.
   Scan code counters provide
   • Number of clean files.
   • Number of infected files.
   • Number of password protected files.
   • Number of decompress layers.
   • Number of corrupt files.
   • When the engine is out of resources.
   • When there is an internal error.
   Fallback applied status provides either a log-and-permit or block result when the following has occurred
   • Scan engine not ready.
   • Password protected file found.
   • Decompress layer too large.
   • Corrupt file found.
   • Out of resources.
   • Timeout occurred.
   • Maximum content size reached.
   • Too many requests.
   • Other.
2. You can click the Clear Anti-Virus Statistics button to clear all current viewable statistics and begin collecting new statistics.

Verifying Antivirus Scan Results Using the CLI

Using the CLI, you can view statistics for antivirus requests, scan results, and fallback counters.

Scan requests provide

• The total number of scan request forwarded to the engine.
• The number of scan request being pre-windowed.
• The number of scan requests using scan-all mode.
• The number of scan requests using scan-by-extension mode.

Scan code counters provide

• Number of clean files.
• Number of infected files.
• Number of password protected files.
• Number of decompress layers.
• Number of corrupt files.
• When the engine is out of resources.
• When there is an internal error.

Fallback applied status provides either a log-and-permit or block result when the following has occurred

• Scan engine not ready.
• Maximum content size reached.
• Too many requests.
• Password protected file found.
• Decompress layer too large.
• Corrupt file found.
• Timeout occurred.
• Out of resources.
• Other.

CLI: show security utm anti-virus statistics

JUNOS : New Features - ALG Overview

An Application Layer Gateway (ALG) is a software component that is designed to manage specific protocols such as Session Initiation Protocol (SIP) or FTP on Juniper Networks devices running JUNOS Software. The ALG module is responsible for Application-Layer aware packet processing.

ALG functionality can be triggered either by a service or application configured in the security policy:

• A service is an object that identifies an application protocol using Layer 4 information (such as standard and accepted TCP and UDP port numbers) for an application service (such as Telnet, FTP, SMTP, and HTTP).
• An application specifies the Layer 7 application that maps to a Layer 4 service.

A predefined service already has a mapping to a Layer 7 application. However, for custom services, you must link the service to an application explicitly, especially if you want the policy to apply an ALG.

ALGs for packets destined to well-known ports are triggered by service type. The ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic policies to permit the traffic to pass securely through the device:

1. When a packet arrives at the device, the flow module forwards the packet according to the security rule set in the policy.
2. If a policy is found to permit the packet, the associated service type or application type is assigned and a session is created for this type of traffic.
3. If a session is found for the packet, no policy rule match is needed. The ALG module is triggered if that particular service or application type requires the supported ALG processing.

The ALG also inspects the packet for embedded IP address and port information in the packet payload, and performs Network Address Translation (NAT) processing if necessary. The ALG also opens a gate for the IP address and port number to permit data exchange for the session. The control session and data session can be coupled to have the same timeout value, or they can be independent.

JTAC Recommended Junos Software Versions ( Feb 2014) - SRX

SRX Series Services Gateways

Platform	JTAC Recommended Junos Software by Platform	Release Type	Last updated
SRX100B/H	Junos 11.4R10.3	Standard	08 Jan 2014
SRX100H2 (*1)	Junos 12.1X44-D30.4	Standard	03 Feb 2014
SRX110H	Junos 11.4R10.3	Standard	28 Jan 2014
SRX110H2	Junos 12.1X44-D30.4	Standard	03 Feb 2014
SRX210B/H/BE/HE	Junos 11.4R10.3	Standard	08 Jan 2014
SRX210H2	Junos 12.1X44-D30.4	Standard	03 Feb 2014
SRX220H	Junos 11.4R10.3	Standard	08 Jan 2014
SRX220H2	Junos 12.1X44-D30.4	Standard	03 Feb 2014
SRX240B/H/B2/H2	Junos 11.4R10.3	Standard	08 Jan 2014
SRX550	Junos 12.1X44-D30.4	Standard	03 Feb 2014
SRX650	Junos 11.4R10.3	Standard	08 Jan 2014
SRX1400 (*2, 3)	Junos 11.4R10.4	Standard	08 Jan 2014
SRX1400 w/NP-IOC (*2, 3)	Junos 12.1X44-D30.4	Standard	04 Feb 2014
SRX3400 (*3)	Junos 11.4R10.4	Standard	08 Jan 2014
SRX3400 w/NP-IOC (*3)	Junos 12.1X44-D30.4	Standard	04 Feb 2014
SRX3600 (*3)	Junos 11.4R10.4	Standard	08 Jan 2014
SRX3600 w/NP-IOC (*3)	Junos 12.1X44-D30.4	Standard	04 Feb 2014
SRX5400	Junos 12.1X46-D10.2	Standard	08 Jan 2014
SRX5600	Junos 11.4R10.3	Standard	08 Jan 2014
SRX5600 w/NG-SPC (*4)	Junos 12.1X44-D30.4	Standard	03 Feb 2014
SRX5800	Junos 11.4R10.3	Standard	08 Jan 2014
SRX5800 w/NG-SPC (*4)	Junos 12.1X44-D30.4	Standard	03 Feb 2014

Note:
(*1) TSB16272 - U-Boot upgrade recommendation for SRX100H2
(*2) SRX 1400 deployment as a Chassis Cluster requires Junos 11.1 or above
(*3) TSB16273 - Junos software limitation for SRX1400/SRX3400/SRX3600 Routing Engine and SRX3K Switch Fabric Board
(*4) TSB16197 - Intermittent PHY or MAC layer link failure on SRX5600 and SRX5800 with SRX5K-SPC-4-15-320

JUNOS : Install Software via CLI from Junos software copied to USB stick

Follow these steps to install the software via the CLI from a USB stick:

1. Download the Junos upgrade file to the USB stick. 
   
2. Locate the USB device ID that Junos is associating to the USB stick:
   

   user@srx> start shell
user@srx% ls /dev/
   

3. Insert the USB device into the USB slot.  For example, slot 0 would return the following:
   

   root# umass0: USB USBFlashDrive, rev 2.00/1.00, addr 2
da0 at umass-sim0 bus 0 target 0 lun 0
da0: <USB USBFlashDrive 0100> Removable Direct Access SCSI-0 device
da0: 1.000MB/s transfers
da0: 980MB (2007040 512 byte sectors: 64H 32S/T 980C)

   Run the following command
   
   user@srx% ls /dev/
   
   Locate difference in outputs to locate drive label. (It will usually be da#s1, i.e. da0s1)
   

4. Create a mount directory:
   

   user@srx% mkdir /tmp/usb

5. Mount the USB to the directory:
   

   user@srx% mount -t msdosfs /dev/<drivelabel, e.g. #da0s1> /tmp/usb

   Example:
   user@srx% mount -t msdosfs /dev/da0s1 /tmp/usb (there is a space between the label name and /tmp)
   
   Verify that the USB is mounted to the device:
   root@% pwd
/cf/root
root@% cd /var/tmp/usb/
root@% pwd
/cf/var/tmp/usb
root@% ls
junos-jsr-11.4R5.7-export.tgz


6. Exit shell and install the software:
   

   user@srx% exit
user@srx> request system software add /tmp/usb/<upgrade filename> no-validate no-copy

7. Upon completion, reboot the SRX:
   

   user@srx> request system reboot

JUNOS : ACTIVATE YOUR SRX SERIES AND J SERIES FEATURES

Four Easy Steps to Activate Your Juniper Networks Product Features

 

1. Gather your Authorization Code and Device Serial Number.

Authorization Code:

The 16-digit alphanumeric Authorization Code is sent via email in response to your order and is required to generate the license activation key for your SRX Series device. The Authorization Code is required to generate your license key—it is not the actual license key.

Device Serial Number:

The device serial number is a unique 12-digit alphanumeric code used to identify your SRX Series device when generating license keys. You can find the SRX Series device serial number either on the bottom or sides of the unit. You can also find the serial number via the NSM Device Inventory Hardware tab by executing the CLI command, “show chassis hardware,” or through the J-Web Monitor Dashboard.

2. Sign in to the Juniper Networks License Management System at  www.juniper.net/generate_license ,

Select the J Series and SRX Series device link, and follow the instructions in the system user interface.

3. The Juniper License Management System provides you with your license key in one of two ways:

Download your license key to your computer from the Juniper Networks License Management System.

• You receive an email that contains the license key.

4. On the SRX Series Device:

CLI: request system license add terminal > Press Enter >

When prompted, type the license key separating multiple license keys with a blank line > Ctrl-D.

J-Web Interface:

Click Maintain > Licenses and enter the license key in one of the following ways:

•

In the license File URL box, type the URL for the license key website.

•Or copy the license key text, and paste it into the License Key Text box, separating multiple license keys with a blank line.

• Click OK

JUNOS : Configure System Log

By default, control protocol activity is logged as a separate system log facility, dfc. To modify the filename or level at which control protocol activity is recorded, include the following statements at the [edit syslog] hierarchy level:

[edit syslog]

file dfc.log {dfc any;}

To cancel logging, include the no-syslog statement at the [edit services dynamic-flow-capture capture-group client-name control-source identifier] hierarchy level:

[edit services dynamic-flow-capture capture-group client-name control-source identifier]no-syslog;