Junos OS Release 15.1X49-D130 for vSRX Release Notes

1 Junos OS Release vSRXR elease NotesRelease February 2019 Revision3 ContentsIntroduction .. 3 New and Changed Features .. 3 New Features for Junos OS Release .. 3vSRX: Allow 1400 MTU to be set on vSRX fxp0, em0, andfab0/fab1 .. 3vSRX: Config-drive supportwith cloud-init.. 3vSRX:IKEG atewayExtendedAuthentication(XAuth)suppo rtsalengthof 128-characters .. 4 IPv6 supportfor ClearPass (SRX Series, vSRX) .. 4 Ability to configure LTE interface with IPv4-only mode(vSRX on NFXplatform) .. 4vSRX Architecture Illustration .. 4vSRX Architecture .. 4 Supported Features .. 5 Supported Features References .. 5 Unsupported Features .. 7 Changes in Behavior and Syntax .. 7 Known Behavior .. 7 Chassis Cluster/HighAvailability .. 7 Class of Service .. 8 Interfaces and Routing.. 8 NFX Platform .. 8 Platform and Infrastructure .. 8SR-IOV .. 9vSRX Limitations in Junos Space Security Director Integration with vSRX.

2 10 Known Issues .. 10 Chassis Clustering .. 10 Class of Service (CoS) .. 11 DHCP.. 11 Flow and Processing .. 111 Copyright 2019, JuniperNetworks, and Routing.. 11J-Web .. 12 Microsoft Azure .. 13 Microsoft Hyper-V.. 14 Platform and Infrastructure .. 14 RoutingProtocols .. 15 System Logs .. 15 UTM.. 15 VPN.. 15 Resolved Issues .. 16 Resolved Issues .. 16 Chassis Cluster/HighAvailability .. 16 Licensing.. 16 Network Address Translation (NAT) .. 16 Platform and Infrastructure .. 16 RoutingPolicy and Firewall Filters .. 17 RoutingProtocols .. 17 SSL Proxy .. 17 Migration, Upgrade, and Downgrade Instructions .. 17 Upgrading Software Packages .. 17 Validating the OVA Image .. 20 Migrating from Firefly Perimeter .. 20 System Requirements .. 20 System Requirements by Environment.. 20 Hardware Recommendations .. 21 Best Practices Recommendations .. 22 NUMAN odes.

3 22 PCI NIC-to-VMMapping.. 22 MappingVirtual Interfaces to a vSRX VM .. 22 FindingMore Information .. 23 Documentation Feedback .. 23 Requesting Technical Support.. 24 Self-HelpOnlineTools and Resources .. 24 Openinga Case with JTAC .. 25 RevisionHistory .. 25 Copyright 2019, JuniperNetworks, Notes for vSRXI ntroductionThis Release note accompanies Junos OS Release vSRX. It describesnew and changed features, known behavior, and known and resolved problems in is a virtual security appliance that provides security and networkingservices (VM)onx86servers that supportvirtualization, and it enables advanced security and routingat thenetwork edge in multitenantvirtualized is built on Junos OS and delivers security and networkingfeatures similar to thoseavailable on SRX Series Services can also find the vSRX Release Notes in the JuniperNetworks TechLibrary, and Changed FeaturesThis section describes new features and enhancements to existing features in Junos OSRelease vSRX.

4 New Features for Junos OS Release page 3 vSRX Architecture Illustration on page 4 Supported Features on page 5 Supported Features References on page 5 Unsupported Features on page 7 Changes in Behavior and Syntax on page 7 New Features for Junos OS Release following features are new in Junos OS Release : Allow 1400 MTU to be set on vSRX fxp0, em0, and fab0/fab1 Startingin Junos OS Release , the maximumtransmissionunit (MTU)settingsareadjustableonthevSRXvirtu alinterfacessothatavSRXinstancecanoperat eon VXLAN based MTU settings are supported for the followinginterfaces: fxp0, em0, and fab0/fab1. You can do this by setting themtuoptionof theset interfaces [fxp0 | mtu | fab0 | fab1]commandto a value between 256 and 9192.[SeeUnderstandingInterface Physical Properties.]vSRX: Config-drive supportwith cloud-initStartingin Junos OS Release , the cloud-initfunctionality in vSRX has beenextended to supportthe use of a configuration drive data source in an configuration drive uses the user-data attribute to pass a type text/plain.

5 The configuration drive is typically used in conjunction with the3 Copyright 2019, JuniperNetworks, service, and is present to the instance as a disk partitionlabeledconfig-2. Theconfigurationdrivehasamaximumsizeof64 MB,andmustbeformattedwitheitherthevfat or ISO 9660 configuration drive data source also provides the flexibility to add more than one and a license file.[SeeUsingCloud-Initin an OpenStack Environmentto Automate theInitializationof vSRXI nstances.]vSRX: IKE Gateway Extended Authentication (XAuth) supports a length ,onallSRXS eriesdevices,andvSRXinstances,themaximum numberofcharactersallowedforanIKEgateway ExtendedAuthentication(XAuth) clientusernamehas increased from 32 to supportfor ClearPass (SRX Series, vSRX)Startingin Junos OS Release , all SRX Series devices and vSRX API supports IPv6 user entries obtained from ClearPass. SRX Series devices canqueryClearPass for newly generated IPv6 user for identity information.

6 ClearPass canpush IPv6 user identity information to SRX Series devices. SRX Series devices supportthe use of IPv6 addresses associated with source identities in security policies.[SeeUnderstandingtheSRX Series Integrated ClearPass AuthenticationandEnforcementFeatureandUn derstandingHow ClearPass Initiates a SessionandCommunicates UserAuthenticationInformationto theSRX Series Device UsingtheWeb API.]Ability to configure LTE interface with IPv4-only mode(vSRX on NFX platform)Startingin Junos OS Release , theip-versionoptionhas been added to thecreate-profileconfiguration to enable you to specify the IP version for an LTE profile. Thesupportedip-versionvalues include:ipv4,ipv6, example, if you specifyip-version ipv4in therequest modemwireless create-profilecommand, whena modemuses this profile it will operate only in IPv4 ip-version ipv4[Seerequest modemwireless create-profile.]

7 ]vSRX Architecture IllustrationvSRX ArchitectureFigure 1 on page 5 is a high-level illustration of the vSRX architecture as of Junos OSRelease 2019, JuniperNetworks, Notes for vSRXF igure 1: vSRX ArchitectureHYPERVISORS/CLOUDENVIRONMENT SP hysicalx86g004195vSRXVMS torageMemoryJunosControlPlaneJCP/vRERPDR outingProtocolDaemonMGDM anagementDaemonJunosKernelQEMU/KVMJ uniperLinux(GuestOS)AdvancedServicesFlow ProcessingPacketForwardingDPDKDataPlaneD evelopmentKitMicrosoftHyper-VVMwareKVMK ernel-basedVirtualMachinesAWSA mazonWebServicesMicrosoftAzureCloudDeplo ymentContrailCloudDeploymentSupported FeaturesStartingin Junos OS Release vSRX, JuniperNetworks changed the nameof the virtual security product to details aboutJunos OS features supported on vSRX, seeFeature Explorer: removed from the command-lineinterface (CLI) of the vSRX software Features ReferencesTable1onpage6listsdocumentatio nreferencestoJunosOSfeaturesthataresuppo rtedstartingfrom Junos OS Release for vSRX.

8 See Known Behavior on page 7andSRX Series Features NotSupported on vSRXfor specific :SomevSRX features require a license. SeevSRX Feature LicensesOverviewfor more 2019, JuniperNetworks, and Changed FeaturesTable 1: DocumentationReferences for Junos OS Features Supported on vSRXvSRX PlatformFeature DocumentationFeatureVMware, KVM, Contrail,AWS, Azure, and Hyper-VApplicationFirewall OverviewApplication Firewall(AppFW)VMware, KVM, Contrail,AWS, Azure, and Hyper-VUnderstandingApplicationIdentific ationTechniquesApplicationIdentification (AppID)VMware, KVM, Contrail,AWS, Azure, and Hyper-VALG OverviewApplication LayerGateways (ALGs)VMware, KVM, Contrail,AWS, Azure, and Hyper-VUnderstandingApplicationQoS(AppQo S)Application Quality ofService (AppQoS)VMware, KVM, Contrail,AWS, Azure, and Hyper-VAttack DetectionandPreventionOverviewAttack Detection andPrevention(ADP)

9 KVMC hassisCluster OverviewChassis cluster supportfor Virtio driverVMwareChassisCluster OverviewChassis cluster supportfor VMXNET3driverHyper-VChassisCluster OverviewChassis cluster supportfor Windows Hyper-VServer 2016 NOTE: StartinginJunosOS ,supportfor chassisclustering to providenetwork noderedundancy is onlyavailable on WindowsHyper-VServer , KVM, Contrail,AWS, Azure, and Hyper-VUnderstandingClass of ServiceClass of service (CoS)VMware, KVM, Contrail,AWS, Azure, and Hyper-VUnderstandingInterfacesDynamicHos tConfiguration Protocol(DHCP)VMware, KVM, Contrail,AWS, Azure, and Hyper-VJuniperNetworks Devices ProcessingOverviewFlow and packetprocessingVMware, KVM, Contrail,AWS, Azure, and Hyper-VUnderstandingIntrusionDetectionan dPreventionIntrusionDetectionandPreventi on(IDP)VMware, KVM, Contrail,AWS, Azure, and Hyper-VIPsec VPNO verviewIPsec VPNC opyright 2019, JuniperNetworks, Notes for vSRXT able 1.

10 DocumentationReferences for Junos OS Features Supported on vSRX (continued)vSRX PlatformFeature DocumentationFeatureVMware, KVM, Contrail,AWS, Azure, and Hyper-VMPLS OverviewMultiprotocol LabelSwitching(MPLS)VMware, KVM, and ContrailMulticast OverviewMulticastVMware, KVM, Contrail,AWS, Azure, and Hyper-VIntroductionto NATN etwork AddressTranslation (NAT)VMware, KVM, Contrail,AWS, Azure, and Hyper-VJunos OS RoutingProtocols LibraryRoutingprotocolsVMware, KVM, Contrail,AWS, Azure, and Hyper-VUnderstandingSecurity BasicsSecurity building bocksVMware, KVM, and ContrailEthernet SwitchingandLayer 2 TransparentModeOverviewTransparent modeVMware, KVM, Contrail,AWS, Azure, and Hyper-VUnified Threat ManagementOverviewUnified ThreatManagement(UTM)VMware, KVM, Contrail,AWS, Azure, and Hyper-VUnderstandingUser Authenticationfor Security DevicesUser authenticationUnsupported FeaturesWhile vSRX supports many of the Junos OS features supported on otherSRX Seriesdevices, supported on vSRX, see Known Behavior on page 7 andSRX Series Features NotSupported on vSRXfor specific in Behavior and SyntaxFor the most complete and latest information aboutchanges in commandbehavior andsyntax applicable to all SRX Series platforms in Junos OS Release , seeChanges in BehaviorandSyntax for BehaviorThissectioncontainstheknownbehav iors,systemmaximums,andlimitationsinhard wareand software in Junos OS Release for Cluster/HighAvailability In vSRX deployments, HA is not supported on Contrail, AWS, and Microsoft Azure.