Table of Contents
Advertisement
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
The DS Lite carrier-grade NAT performs IPv4-IPv4 address translations to multiple
subscribers through a single global IPv4 address. Overlapping address spaces used by
subscribers are disambiguated through the identification of tunnel endpoints.
A new command for displaying information on softwires, show security softwires, is
available in Junos OS Release 10.4.
[Junos OS Security Configuration Guide Junos OS CLI Reference]
Firewall security policy in active/active chassis cluster—This feature is supported on
all SRX Series and J Series devices.
This feature is now supported in active/active chassis cluster configurations in addition
to the existing support of active/passive chassis cluster configurations.
The matching criteria for security policy rules is based on zones, address objects, and
applications. To support security policy rules for IPv6 traffic, you have to configure
zone and address objects with IPv6 values. You can also select IPv6 applications.
Note that in security policy rules, the meaning of the wildcard
has changed. When
any
flow support is enabled for IPv6 traffic, the wildcard
matches any IPv4 or IPv6
any
address. In Junos OS Release 10.4, new wildcards are introduced to match any IPv4 or
any IPv6 address:
any-ipv4
and
any-ipv6
in active/active chassis cluster. When flow
support is not enabled for IPv6 traffic,
matches IPv4 addresses.
any
IPv6 support for IDP and UTM are not included in Junos OS Release 10.4. If your current
security policy uses rules with
any
IP address wildcards and IDP and UTM features
enabled, you will encounter configuration commit errors because IDP and UTM features
do not support IPv6 addresses. To resolve these errors, modify the rule returning the
error so that it uses the
wildcard, and create separate rules for IPv6 traffic
any-ipv4
that do not include IDP or UTM features. [Junos OS Security Configuration Guide]
Flow-based processing in active/active chassis cluster—This feature is supported
on all SRX Series and J Series devices.
In Junos OS Release 10.4, we support IPv6 flow-based processing in active/active
(failover) chassis cluster configurations in addition to the existing support of
active/passive chassis cluster configurations.
IPv6 flow support enables processing of IPv6 traffic by the security features of SRX
Series and J Series devices. IPv6 flow support is disabled by default, and IPv6 packets
are dropped.
To enable flow-based processing for IPv6 traffic, modify the
mode
statement at the
[
] hierarchy level.
edit security forwarding-options family inet6
The [
show security flow session source-prefix
] and [
show security flow session
] commands you use to monitor session statistics now take IPv6
destination-prefix
address arguments. In addition, the [
]
show security flow session family (inet|inet6)
option is added to filter session statistics by protocol family.
[Junos OS CLI Reference, Junos OS Interfaces Configuration Guide for Security Devices,
Junos OS Security Configuration Guide]
FTP ALG for routing—This feature is supported on all SRX Series and J Series devices.
Copyright © 2011, Juniper Networks, Inc.
97
Advertisement
Table of Contents
