Juniper JUNOS 10.1 - RELEASE NOTES REV 4 Release Note page 154

JUNOS 10.1 Software Release Notes
Intrusion Detection and Prevention (IDP)
154
Issues in JUNOS Release 10.1 for SRX Series Services Gateways and J Series Services Routers
because there is a bug in the SAR engine, which will not set the ATM connection
until the first packet has been dropped due to no ATM connection. [PR/493099]
The destination and destination-profile options for address and
unnumbered-address within family inet and inet6 are allowed to be specified
within a dynamic profile but not supported. [PR/493279]
On SRX 210 High Memory devices, the physical interface module (PIM) shows
time in ADSL2+ ANNEX-M, even though it is configured for ANNEX-M ADSL2.
[PR/497129]
On SRX5600 and SRX5800 devices, load balance does not happen within the
aggregated Ethernet ( ae ) interface when you prefix length with /24 while
incrementing the dst ip. [PR/505840]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when the firewall and
IDP policy both enable diffServ
traffic, the firewall DSCP value takes precedence and the traffic is marked using
the firewall DSCP value. [PR/297437]
On SRX5600 and SRX5800 devices, when the device is processing heavy traffic,
the
show security idp status
flow, session, and packet statistics do not match firewall statistics. [PR/389501]
[PR/388048]
The SRX210 device supports only one IDP policy at any given time. When you
make changes to the IDP policy and commit, the current policy is completely
removed before the new policy becomes effective. During the update, IDP will
not inspect the traffic that is passing through the device for attacks. As a result,
there is no IDP policy enforcement. [PR/392421]
On SRX210, SRX3400, SRX3600, SRX5600, and SRX5800 devices, in J-Web
selecting Configuration>Quick Configuration>Security Policies>IDP
Policies>Security Package Update>Help brings up the IDP policy Help page
instead of the Signature update Help page. To access the corresponding Help
page, select Configuration>Quick Configuration>IDP
Policies>Signature/Policies Update and then click Help. [PR/409127]
On SRX3400, SRX3600, SRX5600 and SRX5800 devices, if you want to change
to dedicated mode, the configuration of the
application-services maximize-idp-sessions
rebooting the device. This should be done to avoid recompiling IDP policies
during every commit. [PR/426575]
On SRX3400, SRX3600, and SRX5600 devices, when you configure IDP to run
in decoupled mode using the
maximize-idp-sessions command, network address translation (NAT) information
will not be shown in the event log. [PR/445908]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if you configure a
policy containing more than 200 rules, with each rule containing the predefined
attack groups (Critical, Major, and Minor), the memory constraint of the Routing
Engine (500 MB) is reached. [PR/449731]
marking with a different DSCP value for the same
operational command might fail. As a result, IDP
security forwarding-process
command should be done right before
set security forwarding-process application-services