Juniper JUNOS 10.1 - RELEASE NOTES 5-13-2010 Release Note page 150

JUNOS 10.1 Software Release Notes
J-Flow
150
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
On SRX3400, SRX3600, SRX5600 and SRX5800 devices, if you want to change
to dedicated mode, the configuration of the
application-services maximize-idp-sessions
rebooting the device. This should be done to avoid recompiling IDP policies
during every commit. [PR/426575]
On SRX3400, SRX3600, and SRX5600 devices, when you configure IDP to run
in decoupled mode using the
maximize-idp-sessions command, network address translation (NAT) information
will not be shown in the event log. [PR/445908]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if you configure a
policy containing more than 200 rules, with each rule containing the predefined
attack groups (Critical, Major, and Minor), the memory constraint of the Routing
Engine (500 MB) is reached. [PR/449731]
On SRX3400, and SRX3600 devices, the logging rate is slightly less in SPUs
operating in combo mode as compared to SPUs operating in non-combo mode.
[PR/457251]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices in
maximize-idp-sessions mode, there is an IPC channel between two data plane
processes. The channel is responsible for transferring the "close session" message
(and other messages) from the firewall process to the IDP process. Under stress
conditions, the channel becomes full and extra messages might get lost. This
causes IDP sessions in the IDP process to hang for longer than necessary, and
they will time out eventually. [PR/458900]
When an SRX Series device running JUNOS Release 10.1 (Layer 2
access-integrated mode) is rolled back to the JUNOS Release 9.6 image, the DUT
comes up in JUNOS Release 9.6 with Layer 2 access-integrated mode, which was
not supported in JUNOS Release 9.6. [PR/469069]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the application-level
distributed denial-of-service (application-level DDoS) rulebase (rulebase-ddos)
does not support port mapping. If you configure an application other than default,
and if the application is from either predefined JUNOS Software applications or
a custom application that maps an application service to a nonstandard port,
application-level DDoS detection will not work. When you configure the
application setting as default, IDP uses application identification to detect
applications running on standard and nonstandard ports, hence the
application-level DDoS detection works properly. [PR/472522]
SRX3400, SRX3600, SRX5600, and SRX5800 devices support 4-byte autonomous
system (AS) for BGP configuration. However, the J-Flow template versions 5 and
8 do not support 4-byte AS, because these J-Flow templates have 2 bytes for the
SRC/DST AS field. [PR/416497]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, J-Flow sampling on
the virtual router interface does not show the values of autonomous system (AS)
and mask length values. The AS and mask length values of
while sampling the packet on the virtual router interface. [PR/419563]
0
security forwarding-process
command should be done right before
set security forwarding-process application-services
cflowd packets show