Saturday, 22 September 2012

Junos : SRX Series Hardware EOS Dates & Milestones

The following SRX Series product(s) have all been announced as End of Life (EOL). The End of Support (EOS) milestone dates for the five (5) year support model are published below.

Product EOL Announce Date Last Order Date Last Date to Convert Warranty Same Day Support Discontinued Next Day Support Discontinued End of Support
SRX-MP-1SFP 02/15/12 08/31/12 08/31/13 08/31/14 08/31/16 08/31/17

JX-SFP SKUs

11/15/11

02/28/12

02/28/13

02/28/14

02/28/16

02/28/17

SRX210B, SRX210H, SRX210H-POE
11/15/11 08/31/12 08/31/13 08/31/14 08/31/16 08/31/17

EXPCD-3G-CDMA-V
11/15/11 02/28/12 02/28/13 02/28/13 02/28/14 02/28/14

EXPCD-3G-CDMA-S

11/15/11

10/31/11

10/31/12

10/31/12

10/31/13

10/31/13


SRX210H-P-MGW, SRX220H-P-MGW, SRX240H-P-MGW, SRX-MP-VA04, SRX-MP-VA04, SRX-MP-VA22
01/24/11 01/24/11 01/24/11 01/24/11 01/24/11 01/24/1

Tuesday, 18 September 2012

Junos: automatic rollback How To

From your telnet session on JUNOS, delete the telnet statement under system services level and commit in a way that if you lose your connection to JUNOS, the configuration is automatically rolled back after 1 minute.

Exit both configuration and operational modes to go back to JUNOS. Try to telnet again to 192.168.1.2; this should not work. Wait about 2 minutes (take a coffee break) and try again. This time it should work as your previous commit should have been rolled back.

Solution

[edit]
 junuser@JUNOS2# delete system services telnet
[edit]
 junuser@JUNOS2# commit confirmed 1
 commit confirmed will be automatically rolled back in 1 minutes unless confirmed
 commit complete
# commit confirmed will be rolled back in 1 minute
 [edit]
 junuser@JUNOS2# exit
 Exiting configuration mode
# commit confirmed will be rolled back in 1 minute
 junuser@JUNOS2> exit

Sunday, 16 September 2012

Junos : Source NAT HOWTO



How to access Internal Resources using the external Static NAT address





Internal (trust) zone clients accessing Internal resources using external interface (untrust) Static NAT address.


Topology

192.168.1.1 address is translated to 100.100.100.101/24 (Static NAT).

In this example, the Internal IP (192.168.1.2) will access the Internal webserver using the external IP address(100.100.100.101).
This is popularly used in scenarios where DNS resolves the webserver IP to its public IP.

Solution:
Configuration Steps :
Configure Static NAT for the Internal Web-server. 
The Static NAT configured on the SRX for an internal Webserver should be mapped to both the directions (internal interface as well as external interface).
root@juniper# show security
nat {
    static {
        rule-set Staticnat {
            from routing-instance default;
            rule Internal_Webserver {
                match {
                    destination-address 100.100.100.101/32;
                }
                then {
                    static-nat prefix 192.168.1.1/32;
                }
            }
        }
    }
}
Configure Source NAT for the internal IP.
Source NAT should be configured on the device for packets with source as the internal IP and destination as the Internal webserver to any dummy IP that should not exist on internal network. The reason behind this that return packet should be routed via the firewall.
root@juniper# show security
nat {
    source {
        pool Dummypool {
            address {
                192.168.100.1/32;
            }
        }
        rule-set Snat {
            from zone trust;
            to zone trust;
            rule InternalNat {
                match {
                    source-address 192.168.1.2/32;
                    destination-address 192.168.1.1/32;
                }
                then {
                    source-nat {
                        pool {
                            Dummypool;
                        }
                    }
                }
            }
        }                              
    }
}
Configure Proxy ARP.   (Optional)
If the Static NAT IP and firewall's external interface IP are in same subnet, enable Proxy ARP on external interface.
root@juniper# show security
nat {
    proxy-arp {
        interface ge-0/0/1.0 {
            address {
                100.100.100.101/32;
            }
        }
}
}

Tuesday, 11 September 2012

Junos : Basic configuration



1. setup host name
# set system host-name <name>

2. setup system domain name
# set system domain-name <example.com>

3. configure management port for remote support
# set interface fxp0 unit 0 family inet address <192.168.1.1>
**Management port is depend on the boxes it self. Do sh int terse in order to identify the interface type. **
# set routing-options static route 0.0.0.0/0 next-hop x.x.x.x( default gateway)


4. configure name server /dns
# set system name-server <dns ip>

5. configure password
# set system root-authentication plain-text-password  
** WITHOUT ROOT AUTHENTICATION PASSWORD, THE COMMIT WILL FAILED.**

6. configure ntp clock
# set system ntp server <8.8.8.8>

7. configure system time zone
# set system time-zone

8. configure ssh
# set system services ssh
# set interaces lo0 unit family inet address <x.x.x.x>
# set system login user <example> class superuser
# set system log user example authentication plain-text-password

9. create user
# set system login user <example> class superuser
# set system log user example authentication plain-text-password

**ALWAYS PERFORM SHOW | COMPARE IN ORDER TO DOUBLE CONFIRM ON THE CONFIGURATION **

Friday, 7 September 2012

Junos: Known Limitations in Junos OS Release 12.1 for Branch SRX Series Services Gateways



ADSL Mini-PIM
  • SRX Series - ADSL Mini-PIM - It takes more than 5 minutes for ATM interface to show up when CPE is configured in ANSI-DMT mode and CO is configured in auto mode. This occurs only with ALU 7300 DSLAM, due to limitation in current firmware version running on ADSL Mini – PIM.
AppSecure
  • Junos OS application identification—When you create custom application or nested application signatures for Junos OS application identification, the order value must be unique among all predefined and custom application signatures. The order value determines the application matching priority of the application signature.
The order value is set with the set services application-identification application application-name signature order command. You can also view all signature order values by entering the show services application-identification | display set | match order command. You will need to change the order number of the custom signature if it conflicts with another application signature.
  • J-Web pages for AppSecure are preliminary.
  • Custom application signatures and custom nested application signatures are not currently supported by J-Web.
  • When ALG is enabled, AppID includes the ALG result to identify the application of the control sessions. AppFW permits ALG data sessions whenever control sessions are permitted. If the control session is denied, there will be no data sessions. When ALG is disabled, AppID relies on its signatures to identify the application of the control and data sessions. If a signature match is not found, the application is considered unknown. AppFW handles them based on the AppID result.
AX411 Access Points
  • On SRX210, SRX240, and SRX650 devices, up to four access points (maximum) can be configured and managed.
  • On all branch SRX Series devices, managing AX411 WLAN Access Points through a Layer 3 Aggregated Ethernet (ae) interface is not supported.
Chassis Cluster
  • SRX100, SRX210, SRX240, and SRX650 devices have the following chassis cluster limitations:
    • Virtual Router Redundancy Protocol (VRRP) is not supported.
    • In-service software upgrade (ISSU) is not supported.
    • The 3G dialer interface is not supported.
    • On SRX Series device failover, access points on the Layer 2 switch reboot and all wireless clients lose connectivity for 4 to 6 minutes.
    • On very-high-bit-rate digital subscriber line (VDSL) mini-PIM, chassis cluster is not supported for VDSL mode.
    • Queuing on the aggregated Ethernet (ae) interface is not supported.
    • Group VPN is not supported.
    • Sampling features like J-FLow, packet capture, and port mirror on the reth interface are not supported.
    • Switching is not supported in chassis cluster mode for SRX100 and SRX210.
    • The Chassis Cluster MIB is not supported.
    • Any packet-based services like MPLS and CLNS are not supported.
    • lsq-0/0/0—Link services Multilink Point-to-Point Protocol (MLPPP), Multilink Frame Relay (MLFR), and Compressed Real-Time Transport Protocol (CRTP) are not supported.
    • lt-0/0/0—CoS for real-time performance monitoring (RPM) is not supported.
    • PP0: PPPoE, PPPoEoA is not supported.
  • Packet-based forwarding for MPLS and International Organization for Standardization (ISO) protocol familes is not supported.
  • Layer 2 Ethernet switching
The factory default configuration for SRX100 and SRX210 devices automatically enables Layer 2 Ethernet switching. Because Layer 2 Ethernet switching is not supported in chassis cluster mode, for these devices, if you use the factory default configuration, you must delete the Ethernet switching configuration before you enable chassis clustering.
Caution: Enabling chassis clustering while Ethernet switching is enabled is not a supported configuration and might result in undesirable behavior from the devices, leading to possible network instability.
The default configuration for other SRX Series devices and all J Series devices does not automatically enable Ethernet switching. However, if you have enabled Ethernet switching, be sure to disable it before enabling clustering on these devices too.
  • On all branch SRX Series devices, only redundant Ethernet interfaces (reth) are supported for IKE external interface configuration in IPsec VPN. Other interface types can be configured, but IPsec VPN might not work.
Command-Line Interface (CLI)
  • On all branch SRX and all J Series devices, the clear services flow command is not supported.
  • On SRX210 and SRX240 devices, J-Web crashes if more than nine users log in to the device by using the CLI. The number of users allowed to access the device is limited as follows:
    • For SRX210 devices: four CLI users and three J-Web users
    • For SRX240 devices: six CLI users and five J-Web users
  • On J6350 devices, there is a difference in the power ratings provided by user documentation (J Series Services Routers Hardware Guide and PIM, uPIM, and ePIM Power and Thermal Calculator) and the power ratings displayed by CLI ( by a unit of 1). The cause of this issue is a round off error, where the CLI display rounds off the value to a lower integer and the ratings provided in user documentation rounds off the value to the higher integer. As a workaround, follow the user documentation for accurate ratings.
DOCSIS Mini-PIM
  • On SRX210 devices, the DOCSIS Mini-PIM delivers speeds up to a maximum of 100 Mbps throughput in each direction.
Dynamic Host Configuration Protocol (DHCP)
  • On all branch SRX Series and J Series devices do not support DHCPv6 client authentication is not supported.
Dynamic VPN
SRX100, SRX210, and SRX240 devices have the following limitations:
  • The IKE configuration for the Junos Pulse client does not support the hexadecimal preshared key.
  • The Junos Pulse client IPsec does not support the Authentication Header (AH) protocol and the Encapsulating Security Payload (ESP) protocol with NULL authentication.
  • When you log in through the Web browser (instead of logging in through the Junos Pulse client) and a new client is available, you are prompted for a client upgrade even if the force-upgrade option is configured. Conversely, if you log in using the Junos Pulse client with the force-upgrade option configured, the client upgrade occurs automatically (without a prompt).
  • On all branch SRX Series devices, DH-group 14 is not supported for dynamic VPN.
  • On all branch SRX Series devices, when you download the Pulse client using the Mozilla browser, the “Launching the VPN Client” page is displayed when Junos Pulse is still downloading. However, when you download the Pulse client using Internet Explorer, “Launching the VPN Client” page is displayed after Junos Pulse has been downloaded and installed.
Flow and Processing
  • On all branch SRX Series and J Series devices, a mismatch between the Firewall Counter Packet and Byte Statistics values, and between the Interface Packet and Byte Statistics values, might occur when the rate of traffic increases above certain rates of traffic.
  • On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, due to a limit on the number of large packet buffers, Routing Engine based sampling might run out of buffers for packet sizes greater than or equal to 1500 bytes and hence those packets will not be sampled. You could run out of buffers when the rate of the traffic stream is high.
  • On SRX100 and SRX240 devices, the data file transfer rate for more than 20 megabits per second is reduced by 60 percent with the introduction of Junos Pulse1.0 client as compared to the Acadia client that was used before Junos OS Release 11.1.
  • On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the default authentication table capacity is 10,000; the administrator can increase the capacity to a maximum of 15,000.
  • On all branch SRX Series and J Series devices, when devices are operating in flow mode, the Routing Engine side cannot detect the path maximum transmission unit (PMTU) of an IPv6 multicast address (with a large size packet).
  • On all branch SRX Series devices, you cannot configure route policies and route patterns in the same dial plan.
  • On all branch SRX Series devices, you can configure no more than four members in a station group. Station groups are used for hunt groups and ring groups.
  • On all J Series devices, even when forwarding options are set to drop packets for the ISO protocol family, the device forms End System-to-Intermediate System (ES-IS) adjacencies and transmits packets because ES-IS packets are Layer 2 terminating packets.
  • On all branch SRX Series and J Series devices, high CPU utilization triggered for reasons such as CPU intensive commands and SNMP walks causes the Bidirectional Forwarding Detection protocol (BFD) to flap while processing large BGP updates.
  • On SRX210, SRX240, and J Series devices, broadcast TFTP is not supported when flow is enabled on the device.
  • Maximum concurrent SSH, Telnet, and Web sessions — On SRX210, SRX240, and SRX650 devices, the maximum number of concurrent sessions is as follows:
Sessions
SRX210
SRX240
SRX650
ssh
3
5
5
telnet
3
5
5
Web
3
5
5
Note: These defaults are provided for performance reasons.





  • On SRX210 and SRX240 devices, for optimized efficiency, we recommend that you limit use of CLI and J-Web to the numbers of sessions listed in the following table:
Device
CLI
J-Web
Console
SRX210
3
3
1
SRX240
5
5
1
  • On SRX100 devices, Layer 3 control protocols (OSPF, using multicast destination MAC address) on the VLAN Layer 3 interface work only with access switch ports.
Group VPN Interoperability with Cisco’s GET VPN for Juniper Networks Security Devices that Support Group VPN
Cisco’s implementation of the Group Domain of Interpretation (GDOI) is called Group Encryption Transport (GET) VPN. While group VPN in Junos OS and Cisco's GET VPN are both based on RFC 3547, The Group Domain of Interpretation, there are some implementation differences that you need to be aware of when deploying GDOI in a networking environment that includes both Juniper Networks security devices and Cisco routers. This topic discusses important items to note when using Cisco routers with GET VPN and Juniper Networks security devices with group VPN.
Cisco GET VPN members and Juniper Group VPN members can interoperate as long as the server role is played by a Cisco GET VPN server, Juniper Networks security devices are group members, and with the following caveats:
The group VPN in Release 12.1 of Junos OS has been tested with Cisco GET VPN servers running Version 12.4(22)T and Version 12.4(24)T.
To avoid traffic disruption, do not enable rekey on a Cisco server when the VPN group includes a Juniper Networks security device. The Cisco GET VPN server implements a proprietary ACK for unicast rekey messages. If a group member does not respond to the unicast rekey messages, the group member is removed from the group and is not able to receive rekeys. An out-of-date key causes the remote peer to treat IPsec packets as bad security parameter indexes (SPIs). The Juniper Networks security device can recover from this situation by reregistering with the server to download the new key.
Antireplay must be disabled on the Cisco server when a VPN group of more than two members includes a Juniper Networks security device. The Cisco server supports time-based antireplay by default. A Juniper Networks security device will not interoperate with a Cisco group member if time-based antireplay is used because the timestamp in the IPsec packet is proprietary. Juniper Networks security devices are not able to synchronize time with the Cisco GET VPN server and Cisco GET VPN members because the sync payload is also proprietary. Counter-based antireplay can be enabled if there are only two group members.
According to Cisco documentation, the Cisco GET VPN server triggers rekeys 90 seconds before a key expires, and the Cisco GET VPN member triggers rekeys 60 seconds before a key expires. When interacting with a Cisco GET VPN server, a Juniper Networks security device member needs to match Cisco behavior.
A Cisco GET VPN member accepts all keys downloaded from the GET VPN server. Policies associated with the keys are dynamically installed. A policy does not have to be configured on a Cisco GET VPN member locally, but a deny policy can optionally be configured to prevent certain traffic from passing through the security policies set by the server. For example, the server can set a policy to have traffic between subnet A and subnet B be encrypted by key 1. The member can set a deny policy to allow OSPF traffic between subnet A and subnet B not to be encrypted by key 1. However, the member cannot set a permit policy to allow more traffic to be protected by the key. The centralized security policy configuration does not apply to the Juniper Networks security device.
On a Juniper Networks security device, the ipsec-group-vpn configuration statement in the permit tunnel rule in a scope policy references the group VPN. This allows multiple policies referencing a VPN to share an SA. This configuration is required to interoperate with Cisco GET VPN servers.
Logical key hierarchy (LKH), a method for adding and removing group members, is not supported with group VPN on Juniper Networks security devices.
GET VPN members can be configured for cooperative key servers (COOP KSs), an ordered list of servers with which the member can register or reregister. Multiple group servers cannot be configured on group VPN members.
Hardware
This section covers filter and policing limitations.
  • On SRX650 devices, the T1/E1 GPIMs (2-port or 4-port version) do not work in Junos OS Release 9.6R1. This issue is resolved in Junos OS Release 9.6R2 and later releases, but if you roll back to the 9.6R1 image, this issue is still seen.
Interfaces and Routing
  • On SRX650 devices, you can only create a maximum of 63 physical interface devices with 1GB RAM capacity. Therefore, we recommend that you use only seven octal serial cards to create physical interface devices. To optimally use the 8xoctal serial cards, and to create 64 physical interface devices, you require an SRX-650 device with 2 GB RAM capacity.
  • On SRX100 and J Series devices, dynamic VLAN assignments and guest VLANs are not supported.
  • On SRX650 devices, Ethernet switching is not supported on Gigabit Ethernet interfaces (ge-0/0/0 through ge-0/0/3 ports).
  • On SRX210, SRX220, SRX240, and SRX650 devices, logs cannot be sent to NSM when logging is configured in the stream mode. Logs cannot be sent because the security log does not support configuring of the source IP address for the fxp0 interface and the security log destination in stream mode cannot be routed through the fxp0 interface. This implies that you can not configure the security log server in the same subnet as the fxp0 interface and the route the log server through the fxp0 interface.
  • On all branch SRX Series devices, the number of child interfaces per node is restricted to 4 on the reth interface and the number of child interfaces per reth interface is restricted to 8.
  • On SRX240 High Memory devices, traffic might stop between the SRX240 device and the Cisco switch due to link mode mismatch. We recommend setting autonegotiation parameters on both ends to the same value.
  • On SRX100 devices, the link goes down when you upgrade FPGA on 1xGE SFP. As a workaround, run the restart fpc command and restart the FPC.
  • On SRX210 devices with VDLS2, ATM COS VBR-related functionality cannot be tested.
  • On SRX210 devices, Internet Group Management Protocol version 2 (IGMPv2) JOINS messages are dropped on an integrated routing and bridging (IRB) interface. As a workaround, enable IGMP snooping to use IGMP over IRB interfaces.
  • On all J Series devices, the DS3 interface does not have an option to configure multilink-frame-relay-uni-nni (MFR).
  • On SRX210, SRX220, and SRX240 devices, every time the VDSL2 PIM is restarted in the asymmetric digital subscriber line (ADSL) mode, the first packet passing through the PIM is dropped.
  • On SRX240 Low Memory devices and SRX240 High Memory devices, the RPM server operation does not work when the probe is configured with the option destination-interface.
  • On all J Series devices, Link Layer Discovery Protocol (LLDP) is not supported on routed ports.
  • In J Series xDSL PIMs, mapping between IP CoS and ATM CoS is not supported. If the user configures IP CoS in conjunction with ATM CoS, the logical interface level shaper matching the ATM CoS rate must be configured to avoid congestion drops in segmentation and reassembly (SAR).
Example:
set interfaces at-5/0/0 unit 0 vci 1.110
set interfaces at-5/0/0 unit 0 shaping cbr 62400 ATM COS
set class-of-service interfaces at-5/0/0 unit 0 scheduler-map sche_map IP COS
set class-of-service interfaces at-5/0/0 unit 0 shaping-rate 62400 ADD IFL SHAPER
  • On SRX210, SRX220, and SRX240 devices, 1-port Gigabit Ethernet SFP mini-PIM does not support switching in Junos OS Release 12.1.
  • On SRX650 devices, MAC pause frame and frame check sequence (FCS) error frame counters are not supported for the interfaces ge-0/0/0 through ge-0/0/3.
  • On SRX240 and SRX650 devices, the VLAN range from 3967 to 4094 falls under the reserved VLAN address range, and the user is not allowed any configured VLANs from this range.
  • On SRX650 devices, the last four ports of a 24-Gigabit Ethernet switch GPIM can be used either as RJ-45 or SFP ports. If both are present and providing power, the SFP media is preferred. If the SFP media is removed or the link is brought down, then the interface will switch to the RJ-45 medium. This can take up to 15 seconds, during which the LED for the RJ-45 port might go on and off intermittently. Similarly, when the RJ-45 medium is active and an a small form-factor pluggable transceiver (SFP) link is brought up, the interface will transition to the SFP medium, and this transition could also take a few seconds.
  • On SRX210 devices, the USB modem interface can handle bidirectional traffic of up to 19 Kbps. On oversubscription of this amount (that is, bidirectional traffic of 20 Kbps or above), keepalives do not get exchanged, and the interface goes down.
  • On SRX100, SRX210, SRX240, and SRX650 devices, on the Layer 3 ae interface, the following features are not supported:
    • Encapsulations (such as CCC, VLAN CCC, VPLS, and PPPOE) on Layer 3 ae interfaces
    • J-Web
    • Layer 3 ae for 10-Gigabit Ethernet
  • On SRX100 devices, the multicast data traffic is not supported on IRB interfaces.
  • On SRX240 High Memory devices, when the system login deny-sources statement is used to restrict the access, it blocks a remote copy (rcp) between nodes, which is used to copy the configuration during the commit routine. Use a firewall filter on the lo0.0 interface to restrict the Routing Engine access, However, if you choose to use the system login deny-sources statement, check the private addresses that were automatically on lo0.x and sp-0/0/0.x and exclude them from the denied list.
  • On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, on VLAN-tagged routed interfaces, LLDP is not all supported.
Internet Key Exchange Version 2 (IKEv2)
On all branch SRX Series devices, IKEv2 does not include support for:
  • Policy-based tunnels
  • Dial-up tunnels
  • Network Address Translation-Traversal (NAT-T)
  • VPN monitoring
  • Next-Hop Tunnel Binding (NHTB) for st0—Reusing the same tunnel interface for multiple tunnels
  • Extensible Authentication Protocol (EAP)
  • IPv6
  • Multiple child SAs for the same traffic selectors for each QoS value
  • Proposal enhancement features
  • Reuse of Diffie-Hellman (DH) exponentials
  • Configuration payloads
  • IP Payload Compression Protocol (IPComp)
  • Dynamic Endpoint (DEP)
Internet Protocol Security (IPsec)
  • On all branch SRX Series devices, when you enable VPN, overlapping of the IP addresses across virtual routers is supported with following limitations:
    • An IKE external interface address cannot overlap with any other virtual router.
    • An internal/trust interface address can overlap across virtual routers.
    • An st0 interface address cannot overlap in route-based VPN in point-to-multipoint tunnels such as NHTB.
    • An st0 interface address can overlap in route-based VPN in point-to-point tunnels.
Intrusion Detection and Prevention (IDP)
  • On all branch SRX Series devices, from Junos OS Release 11.2 and later, the IDP security package is based on the Berkeley database. Hence, when the Junos OS image is upgraded from Junos OS Release 11.1 or earlier to Junos OS 11.2 or later, a migration of IDP security package files needs to be performed. This is done automatically on upgrade when the IDP daemon comes up. Similarly, when the image is downgraded, a migration (secDb install) is automatically performed when the IDP daemon comes up, and previously installed database files get deleted.
However, migration is dependent on the XML files for the installed database to be present on the device. For first-time installation, full update files are required. If the last update on the device was an incremental update, migration might fail. In such a case, you have to manually download and install the IDP security package using the download or install CLI command before using the IDP configuration with predefined attacks or groups.
As a workaround, use the following CLI commands to manually download the individual components of the security package from the Juniper Security Engineering portal and install the full update:
    • request security idp security-package download full-update
    • request security idp security-package install
  • On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the request services application-identification uninstall command will uninstall all predefined signatures.
  • On all branch SRX Series devices, IDP does not allow header checks for nonpacket contexts.
  • On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the maximum supported number of entries in the ASC table for is 100,000 entries. However, because the user land buffer has a fixed size of 1 MB as a limitation, it displays a maximum of 38,837 cache entries.
  • The maximum number of IDP sessions supported is 16,384 on SRX210 devices, 32,768 on SRX240 devices, and 13,1072 on SRX650 devices.
  • On all branch SRX Series devices, all IDP policy templates are supported except All Attacks. There is a 100-MB policy size limit for integrated mode and a 150-MB policy size limit for dedicated mode. The current IDP policy templates supported are dynamic, based on the attack signatures being added. Therefore, be aware that supported templates might eventually grow past the policy-size limit.
On all branch SRX Series devices, the following IDP policies are supported:
    • DMZ_Services
    • DNS_Service
    • File_Server
    • Getting_Started
    • IDP_Default
    • Recommended
    • Web_Server
  • On all branch SRX Series devices, IDP deployed in both active/active and active/passive chassis clusters has the following limitations:
    • No inspection of sessions that fail over or fail back.
    • The IP action table is not synchronized across nodes.
    • The Routing Engine on the secondary node might not be able to reach networks that are reachable only through a Packet Forwarding Engine.
    • The SSL session ID cache is not synchronized across nodes. If an SSL session reuses a session ID and it happens to be processed on a node other than the one on which the session ID is cached, the SSL session cannot be decrypted and will be bypassed for IDP inspection.
  • On all branch SRX Series devices, IDP deployed in active/active chassis clusters has a limitation that for time-binding scope source traffic, if attacks from a source (with more than one destination) have active sessions distributed across nodes, then the attack might not be detected because time-binding counting has a local-node-only view. Detecting this sort of attack requires an RTO synchronization of the time-binding state that is not currently supported.
Note: On SRX100 devices, IDP high availability (HA) is supported in active/backup mode.
  • On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the IDP policies for each user logical system are compiled together and stored on the data plane memory. To estimate adequate data plane memory for a configuration, consider these two factors:
    • IDP policies applied to each user logical system are considered unique instances because the ID and zones for each user logical system are different. Estimates need to take into account the combined memory requirements for all user logical systems.
    • As the application database increases, compiled policies will require more memory. Memory usage should be kept below the available data plane memory to allow for database increases.
IPv6 IPsec
The IPv6 IPsec implementation has the following limitations:
  • IPv6 routers do not perform fragmentation. IPv6 hosts should either perform path maximum transmission unit (PMTU) discovery or send packets smaller than the IPv6 minimum MTU size of 1280 bytes.
  • Because IPv6 addresses are 128 bits long compared to IPv4 addresses, which are 32-bits long, IPv6 IPsec packet processing requires more resources. Therefore, a small performance degradation is observed.
  • IPv6 uses more memory to set up the IPsec tunnel. Therefore, the IPsec IPv4 tunnel scalability numbers might drop.
  • The addition of IPv6 capability might cause a drop in the IPsec IPv4-in-IPv4 tunnel throughput performance.
  • The IPv6 IPsec VPN does not support the following functions:
    • 4in6 and 6in4 policy-based site-to-site VPN, IKE
    • 4in6 and 6in4 route-based site-to-site VPN, IKE
    • 4in6 and 6in4 policy-based site-to-site VPN, Manual Key
    • 4in6 and 6in4 route-based site-to-site VPN, Manual Key
    • 4in4, 6in6, 4in6, and 6in4 policy-based dial-up VPN, IKE
    • 4in4, 6in6, 4in6, and 6in4 policy-based dial-up VPN, Manual Key
    • Remote Access—XAuth, config mode, and shared IKE identity with mandatory XAuth
    • IKE authentication—public key infrastructure/digital signature algorithm (PKI/DSA)
    • IKE peer type—Dynamic IP
    • Chassis cluster for basic VPN features
    • IKE authentication—PKI/RSA
    • Network Address Translation-Traversal (NAT-T)
    • VPN monitoring
    • Hub-and-spoke VPNs
    • Next Hop Tunnel Binding Table (NHTB)
    • Dead Peer Detection (DPD)
    • Simple Network Management Protocol (SNMP) for IPsec VPN MIBs
    • Chassis cluster for advanced VPN features
    • IPv6 link-local address
Layer 2 Transparent Mode
  • DHCP server propagation is not supported in Layer 2 transparent mode.
IPv6 Support
  • NSM—Consult the Network and Security Manager (NSM) release notes for version compatibility, required schema updates, platform limitations, and other specific details regarding NSM support for IPv6 addressing on SRX Series and J Series devices.
J-Web
  • SRX Series and J Series browser compatibility
    • To access the J-Web interface, your management device requires the following software:
      • Supported browsers—Microsoft Internet Explorer version 7.0 or Mozilla Firefox version 3.0
      • Language support—English-version browsers
      • Supported OS—Microsoft Windows XP Service Pack 3
    • If the device is running the worldwide version of the Junos OS and you are using the Microsoft Internet Explorer Web browser, you must disable the Use SSL 3.0 option in the Web browser to access the device.
    • To use the Chassis View, a recent version of Adobe Flash that supports ActionScript and AJAX (Version 9) must be installed. Also note that the Chassis View is displayed by default on the Dashboard page. You can enable or disable it using options in the Dashboard Preference dialog box, but clearing cookies in Internet Explorer also causes the Chassis View to be displayed.
  • On all branch SRX Series devices, in the J-Web interface, there is no support for changing the T1 interface to an E1 interface or vice versa. As a workaround, use the CLI to convert from T1 to E1 and vice versa.
  • On all branch SRX Series and J Series devices, users cannot differentiate between Active and Inactive configurations on the System Identity, Management Access, User Management, and Date & Time pages.
  • On SRX210 devices, there is no maximum length when the user commits the hostname in CLI mode; however, only 58 characters, maximum, are displayed in the J-Web System Identification panel.
  • On all J Series devices, some J-Web pages for new features (for example, the Quick Configuration page for the switching features on J Series devices) display content in one or more modal pop-up windows. In the modal pop-up windows, you can interact only with the content in the window and not with the rest of the J-Web page. As a result, online Help is not available when modal pop-up windows are displayed. You can access the online Help for a feature only by clicking the Help button on a J-Web page.
  • On all branch SRX Series devices, you cannot use J-Web to configure a VLAN interface for an IKE gateway. VLAN interfaces are not currently supported for use as IKE external interfaces.
Network Address Translation (NAT)
  • Maximum capacities for source pools and IP addresses have been extended on SRX650 devices, as follows:
Devices
Source NAT Pools
PAT Maximum Address Capacity
Pat Port Number
Source NAT rules number
SRX650
1024
1024
64M
1024
  • Increasing the capacity of source NAT pools consumes memory needed for port allocation. When source NAT pool and IP address limits are reached, port ranges should be reassigned. That is, the number of ports for each IP address should be decreased when the number of IP addresses and source NAT pools is increased. This ensures NAT does not consume too much memory. Use the port-range statement in configuration mode in the CLI to assign a new port range or the pool-default-port-range statement to override the specified default.
  • Configuring port overloading should also be done carefully when source NAT pools are increased.
  • For source pool with port address translation (PAT) in range (64,510 through 65,533), two ports are allocated at one time for RTP/RTCP applications, such as SIP, H.323, and RTSP. In these scenarios, each IP address supports PAT, occupying 2048 ports (64,512 through 65,535) for Application Layer Gateway (ALG) module use.
  • NAT rule capacity change—To support the use of large-scale NAT (LSN) at the edge of the carrier network, the device-wide NAT rule capacity has been changed.
Table : Number of Rules on SRX Series and J Series Devices
NAT Rule Type
SRX100
SRX210
SRX240
SRX650
J Series
Source NAT rule
512
512
1024
1024
512
Destination NAT rule
512
512
1024
1024
512
Static NAT rule
512
512
1024
6144
512
The restriction on the number of rules per rule set has been increased so that there is only a device-wide limitation on how many rules a device can support. This restriction is provided to help you better plan and configure the NAT rules for the device.
Power over Ethernet (PoE)
  • On SRX210-PoE devices, SDK packages might not work.
Security
  • J Series devices do not support the authentication order password radius or password ldap in the edit access profile profile-name authentication-order command. Instead, use order radius password or ldap password.
  • On all branch SRX Series and J Series devices, the limitation on the number of addresses in an address-set has been increased. The number of addresses in an address-set now depends on the device and is equal to the number of addresses supported by the policy.
Table 7: Number of Addresses in an address-set on SRX Series and J Series Devices
Device
address-set
Default
1024
SRX100 High Memory
1024
SRX100 Low Memory
512
SRX210 High Memory
1024
SRX210 Low Memory
512
SRX240 High Memory
1024
SRX240 Low Memory
512
SRX650
1024
J Series
1024
Simple Network Management Protocol (SNMP)
  • On all J Series devices, the SNMP NAT-related MIB is not supported in Junos OS Release 12.1.
Switching
  • Layer 2 transparent mode support—On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following features are not supported for Layer 2 transparent mode:
    • Gratuitious Address Resolution Protocol (GARP) on the Layer 2 interface
    • Spanning Tree Protocol (STP)
    • IP address monitoring on any interface
    • Transit traffic through integrated routing and bridging (IRB)
    • IRB interface in a routing instance
    • Chassis clustering
    • IRB interface handling of Layer 3 traffic
Note: The IRB interface is a pseudointerface and does not belong to the reth interface and redundancy group.
  • On SRX100, SRX210, SRX240, and SRX650 devices, Change of Authorization is not supported with 802.1x.
  • On SRX100, SRX210, SRX240, and SRX650 devices, on the routed VLAN interface, the following features are not supported:
    • IPv6 (family inet6)
    • ISIS (family ISO)
    • Class of service
    • Encapsulations (Ether circuit cross-connect [CCC], VLAN CCC, VPLS, PPPoE, and so on) on VLAN interfaces
    • CLNS
    • Protocol Independent Multicast (PIM)
    • Distance Vector Multicast Routing Protocol (DVMRP)
    • VLAN interface MAC change
    • Gratuitous Address Resolution Protocol (ARP)
    • Change VLAN-Id for VLAN interface
USB
  • On SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, and SRX650 devices, frequent plug and play of USB keys is not supported. You must wait for the device node creation before removing the USB Key.
Upgrade and Downgrade
  • On all J Series devices, the Junos OS upgrade might fail due to insufficient disk space if the CompactFlash is smaller than 1-GB in size. We recommend using a 1-GB CompactFlash for Junos OS Release 10.0 and later.
  • On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, when you connect a client running Junos Pulse 1.0 to an SRX Series device that is a running a later version of Junos Pulse, the client will not be upgraded automatically to the later version. You must uninstall Junos Pulse1.0 from the client and then download the later version of Junos Pulse from the SRX Series device.
Virtual Private Networks (VPNs)
  • On SRX100, SRX210, SRX240, and SRX650 devices, while configuring dynamic VPN using the Junos Pulse client, when you select the authentication-algorithm as sha-256 in the IKE proposal, the IPsec session might not get established.
Unsupported CLI for Branch SRX Series Services Gateways
Accounting-Options Hierarchy
  • On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the accounting, source-class, and destination-class statements in the [accounting-options] hierarchy level are not supported.
AX411 Access Point Hierarchy
  • On SRX100 devices, there are CLI commands for wireless LAN configurations related to the AX411 Access Point. However, at this time, the SRX100 devices do not support the AX411 Access Point.
Chassis Hierarchy
  • On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following chassis hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set chassis craft-lockout
set chassis routing-engine on-disk-failure
Class-of-Service Hierarchy
  • On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following class-of-service hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set class-of-service classifiers ieee-802.1ad
set class-of-service interfaces interface-name unit 0 adaptive-shaper
Ethernet-Switching Hierarchy
  • On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following Ethernet-switching hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set ethernet-switching-options bpdu-block disable-timeout
set ethernet-switching-options bpdu-block interface
set ethernet-switching-options mac-notification
set ethernet-switching-options voip interface access-ports
set ethernet-switching-options voip interface ge-0/0/0.0 forwarding-class
Firewall Hierarchy
  • On SRX100, SRX210, SRX220, SRX240 SRX650, and all J Series devices, the following Firewall hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set firewall family vpls filter
set firewall family mpls dialer-filter d1 term
Aggregated Interface CLI
  • The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
request lacp link-switchover ae0
set interfaces ae0 aggregated-ether-options lacp link-protection
set interfaces ae0 aggregated-ether-options link-protection
ATM Interface CLI
  • The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
·         set interfaces at-1/0/0 container-options
set interfaces at-1/0/0 atm-options ilmi
set interfaces at-1/0/0 atm-options linear-red-profiles
set interfaces at-1/0/0 atm-options no-payload-scrambler
set interfaces at-1/0/0 atm-options payload-scrambler
set interfaces at-1/0/0 atm-options plp-to-clp
set interfaces at-1/0/0 atm-options scheduler-maps
set interfaces at-1/0/0 unit 0 atm-l2circuit-mode
set interfaces at-1/0/0 unit 0 atm-scheduler-map
set interfaces at-1/0/0 unit 0 cell-bundle-size
set interfaces at-1/0/0 unit 0 compression-device
set interfaces at-1/0/0 unit 0 epd-threshold
set interfaces at-1/0/0 unit 0 inverse-arp
set interfaces at-1/0/0 unit 0 layer2-policer
set interfaces at-1/0/0 unit 0 multicast-vci
set interfaces at-1/0/0 unit 0 multipoint
set interfaces at-1/0/0 unit 0 plp-to-clp
set interfaces at-1/0/0 unit 0 point-to-point
set interfaces at-1/0/0 unit 0 radio-router
set interfaces at-1/0/0 unit 0 transmit-weight
set interfaces at-1/0/0 unit 0 trunk-bandwidth
Ethernet Interfaces
  • The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set interfaces ge-0/0/1 gigether-options ignore-l3-incompletes
set interfaces ge-0/0/1 gigether-options mpls
set interfaces ge-0/0/0 stacked-vlan-tagging
set interfaces ge-0/0/0 native-vlan-id
set interfaces ge-0/0/0 radio-router
set interfaces ge-0/0/0 unit 0 interface-shared-with
set interfaces ge-0/0/0 unit 0 input-vlan-map
set interfaces ge-0/0/0 unit 0 output-vlan-map
set interfaces ge-0/0/0 unit 0 layer2-policer
set interfaces ge-0/0/0 unit 0 accept-source-mac
set interfaces fe-0/0/2 fastether-options source-address-filter
set interfaces fe-0/0/2 fastether-options source-filtering
set interfaces ge-0/0/1 passive-monitor-mode
GRE Interface CLI
  • The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set interfaces gr-0/0/0 unit 0 ppp-options
set interfaces gr-0/0/0 unit 0 layer2-policer
IP Interface CLI
  • The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set interfaces ip-0/0/0 unit 0 layer2-policer
set interfaces ip-0/0/0 unit 0 ppp-options
set interfaces ip-0/0/0 unit 0 radio-router
LSQ Interface CLI
  • The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set interfaces lsq-0/0/0 unit 0 layer2-policer
set interfaces lsq-0/0/0 unit 0 family ccc
set interfaces lsq-0/0/0 unit 0 family tcc
set interfaces lsq-0/0/0 unit 0 family vpls
set interfaces lsq-0/0/0 unit 0 multipoint
set interfaces lsq-0/0/0 unit 0 point-to-point
set interfaces lsq-0/0/0 unit 0 radio-router
PT Interface CLI
  • The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set interfaces pt-1/0/0 gratuitous-arp-reply
set interfaces pt-1/0/0 link-mode
set interfaces pt-1/0/0 no-gratuitous-arp-reply
set interfaces pt-1/0/0 no-gratuitous-arp-request
set interfaces pt-1/0/0 vlan-tagging
set interfaces pt-1/0/0 unit 0 radio-router
set interfaces pt-1/0/0 unit 0 vlan-id
T1 Interface CLI
  • The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set interfaces t1-1/0/0 receive-bucket
set interfaces t1-1/0/0 transmit-bucket
set interfaces t1-1/0/0 encapsulation ether-vpls-ppp
set interfaces t1-1/0/0 encapsulation extended-frame-relay
set interfaces t1-1/0/0 encapsulation extended-frame-relay-tcc
set interfaces t1-1/0/0 encapsulation frame-relay-port-ccc
set interfaces t1-1/0/0 encapsulation satop
set interfaces t1-1/0/0 unit 0 encapsulation ether-vpls-fr
set interfaces t1-1/0/0 unit 0 encapsulation frame-relay-ppp
set interfaces t1-1/0/0 unit 0 layer2-policer
set interfaces t1-1/0/0 unit 0 radio-router
set interfaces t1-1/0/0 unit 0 family inet dhcp
set interfaces t1-1/0/0 unit 0 inverse-arp
set interfaces t1-1/0/0 unit 0 multicast-dlci
VLAN Interface CLI
  • The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set interfaces vlan unit 0 family tcc
set interfaces vlan unit 0 family vpls
set interfaces vlan unit 0 accounting-profile
set interfaces vlan unit 0 layer2-policer
set interfaces vlan unit 0 ppp-options
set interfaces vlan unit 0 radio-router
Protocols Hierarchy
  • On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following CLI commands are not supported. However, if you enter these commands in the CLI editor, they will appear to succeed and will not display an error message.
set protocols bfd no-issu-timer-negotiation
set protocols bgp idle-after-switch-over
set protocols l2iw
set protocols bgp family inet flow
set protocols bgp family inet-vpn flow
set protocols igmp-snooping vlan all proxy
Routing Hierarchy
  • On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following routing hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set routing-instances  < instance_name > services
set routing-instances  < instance_name > multicast-snooping-options
set routing-instances  < instance_name > protocols amt
set routing-options bmp
set routing-options flow
Services Hierarchy
  • On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following services hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set services service-interface-pools
SNMP Hierarchy
  • On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following SNMP hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set snmp community  < community_name > logical-system
set snmp logical-system-trap-filter
set snmp trap-options logical-system
set snmp trap-group d1 logical-system
System Hierarchy
  • On all SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following system hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set system diag-port-authentication
loading...