Junos Release Notes for Junos OS Release 12.1X47-D45 for … · 2016. 11. 11. · Title: Junos Release Notes for Junos OS Release 12.1X47-D45 for Firefly Perimeter Created Date:

JunosReleaseNotes for JunosOSRelease

12.1X47-D45 for Firefly Perimeter

Release 12.1X47-D4511 November 2016Revision 1

The Firefly Suite is designed to address the need for compelling and robust security for

diverse virtualized environments by bringing together three products–Firefly Perimeter,

Firefly Host, and Junos Space Virtual Director. These release notes accompany Junos OS

Release 12.1X47-D45 for Firefly Perimeter. They describe supported features and known

issues with Firefly Perimeter.

For the latest, most complete information about outstanding and resolved issues with

Firefly Perimeter, see the Juniper Networks online software defect search application at

http://www.juniper.net/prsearch.

You can also find these release notes on the Firefly Perimeter Documentation webpage,

which is located at https://www.juniper.net/techpubs/firefly-perimeter.

Contents Release Notes for Firefly Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Upgrading from Prior Releases of Firefly Perimeter . . . . . . . . . . . . . . . . . . . . . . 3

Upgrade Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Optional Instructions for Validating Security Signatures . . . . . . . . . . . . . . . . . . 5

Validating the Firefly Perimeter OVA Image . . . . . . . . . . . . . . . . . . . . . . . . 6

Validating the Firefly Perimeter JVA Image Using Linux Commands . . . . . 8

Supported Features for Junos OS Release 12.1X47-D45 for Firefly

Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Firefly Perimeter Evaluation License Installation Process . . . . . . . . . . . . . 13

Firefly Perimeter License Installation Process . . . . . . . . . . . . . . . . . . . . . . 14

Updating Firefly Perimeter Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Firefly Perimeter Feature License Models . . . . . . . . . . . . . . . . . . . . . . . . . 16

Features Supported on Firefly Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Changes in Default Behavior and Syntax in Release 12.1X47-D45 for Firefly

Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Outstanding Issues in Junos OS Release 12.1X47-D45 for Firefly

Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

1Copyright © 2016, Juniper Networks, Inc.

http://www.juniper.net/prsearch

http://www.juniper.net/techpubs/en_US/firefly12.1x47/information-products/pathway-pages/security-virtual-perimeter-software-version-index.html


Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43


Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43


Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43


Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43


Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44


Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44



Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44


Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Resolved Issues in Junos OS Release 12.1X47-D45 for Firefly Perimeter . . . . . 45

Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Resolved Issues in Junos OS Release 12.1X47-D40 for Firefly Perimeter . . . . 45

Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45


J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45



Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45



Resolved Issues in Junos OS Release 12.1X47-D20 for Firefly Perimeter . . . . 46

IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46



Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46



Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47


IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Junos OS Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Copyright © 2016, Juniper Networks, Inc.2

Release Notes for Firefly Perimeter


Firefly Perimeter is a virtual security appliance that provides security and networking

services at the perimeter in virtualized private or public cloud environments. It runs as a

virtualmachine (VM)onastandardx86serverandenablesadvancedsecurityand routing

at the network edge in a multitenant virtualized environment.

FireflyPerimeter is built on JunosOSanddelivers security andnetworking features similar

to those available on branch SRX Series devices.

These release notes include:

• Upgrading from Prior Releases of Firefly Perimeter on page 3

• Upgrade Instructions on page 4

• Optional Instructions for Validating Security Signatures on page 5

• Supported Features for Junos OS Release 12.1X47-D45 for Firefly Perimeter on page 10

• Features Supported on Firefly Perimeter on page 17

• Changes in Default Behavior and Syntax in Release 12.1X47-D45 for Firefly

Perimeter on page 42

• Known Behavior on page 42

• Outstanding Issues in Junos OS Release 12.1X47-D45 for Firefly Perimeter on page 43








• Resolved Issues in Junos OS Release 12.1X47-D45 for Firefly Perimeter on page 45








Upgrading fromPrior Releases of Firefly Perimeter

You can upgrade to Junos OS Release 12.1X47–D45 for Firefly Perimeter from Junos OS

Release 12.1X47-D10 for Firefly Perimeter using the CLI, J-Web, or Junos Space Network

Management Platform.



Upgrade Instructions

To upgrade from a previous Junos OS release for Firefly Perimeter to Junos OS Release

12.1X47-D45 for Firefly Perimeter using the CLI:

1. Ensure that Junos OS Release 12.1X47-D10 for Firefly Perimeter is deployed with the

Junos OS for Firefly Perimeter Release 12.1X47-D10 .ova and .jva files.

root@FFP—X47> show versionHostnane: FFP—X47Model: firefly—perimeterJUNOS Software Release [12.1X47—D10.4]root@FFP—X47>

2. Download the Junos OS for Firefly Perimeter Release 12.1X47-D45 .tgz file from the

Juniper website.

3. Upload the Junos OS for Firefly Perimeter Release 12.1X47-D45 .tgz file to your local

file system, for example, to the /var/tmp partition.

root@FFP—X47> file list /var/tmp/var/tmp@ -> /cf/var/tmproot@FFP—X47> file list /cf/var/tmp/cf/var/tmp/cleanup—pkgs.logeedebug_bin_filegksdchk.loggres—tp/install/junos-vsrx-12.1X47-D45.4-domestic.tgzkmachk.logkrt_gencfg_filter.txtpics/policy_statusrtsdb/spu_kmd_initvi.recover/vpn_tunnel_orig.idroot@FFP-X47>

4. Execute thecommand requestsystemsoftwareadd/var/tmp/[name_of_tgz_package]

no-validate reboot to install thenewJunosOSfor FireflyPerimeterRelease 12.1X47-D45

.tgz image file.

root@FFP-X47> ...vsrx-12.1X47-D45.4-domestic.tgz no—validate rebootInstalling package ’/var/tmp/junos—vsrx—12.1X47-D45.4-domestic.tgz’ ...Verified junos—boot—vsrx—12.1X47-D45.4.tgz signed by PackageProduction_12_1_0Verified junos-vsrx—12.1X47-D45.4—domestic signed by PackageProduction_12_1_0Available space: 849286 require: 4714Saving boot file package in /var/sw/pkg/junos—boot—vsrx—12.1X47-D45.4.tgzJUNOS 12.1X47-D45.4 will become active at next rebootSaving package file in /var/sw/pkg/junos—12.1X47-D45.4.tgz ...Saving state for rollback ...Rebooting ...shutdown: [pid 2535]Shutdown NOW!

*** FINAL System shutdown Message from root@FFP—X47 ***System going down IMMEDIATELY



http://www.juniper.net/support/downloads/?p=firefly#sw

root@FFP—X47>

You can use either the FTP or the HTTP protocol to upgrade packages on Firefly

Perimeter from a remote server.

• FTP

ftp://hostname/pathname/package-name

• HTTP

http://hostname/pathname/package-name

For more information, see Installing Junos OS Upgrades from a Remote Server on the

SRX Series Devices.

5. Reboot the system to complete the upgrade process.

6. You have successfully updated to JunosOS for Firefly Perimeter Release 12.1X47-D45.

Now log in and verify using the show version command.

FP—X47 (ttyv0)

login: rootpassword:—— JUNOS 12.1X47-D45.4 built 2015-05-14 23:57:11 UTCroot@FFP—X47%root@FFP—X47%root@FFP—X47% cliroot@FFP—X47>

root@FFP—X47> show versionHostname: FFP-X47Model: firefly-perimeterJUNOS Software Release [12.1X47-D45.4]root@FFP—X47>

You can upgrade from a previous release of Firefly Perimeter to Junos OS for Firefly

Perimeter Release 12.1X47-D45 using J-Web. For more information, see Installing Junos

OS Upgrade Packages on SRX Devices from a Remote Server.

You can upgrade from a previous release of Firefly Perimeter to Junos OS for Firefly

Perimeter Release 12.1X47-D45 using Junos Space Network Management Platform. For

more information, see Installing and Upgrading Junos Space Software Overview.

Optional Instructions for Validating Security Signatures

This section includes instructions for validating security signatures.

CAUTION: During the Firefly Perimeter installation or upgrade process, donot modify the filename of the software image that you download from the



http://www.juniper.net/techpubs/en_US/junos12.1/topics/task/installation/security-junos-os-upgrade-remote-server-srx-series-device-installing.html

http://www.juniper.net/techpubs/en_US/junos12.1/topics/task/installation/security-junos-os-upgrade-remote-server-srx-series-device-installing.html

http://www.juniper.net/techpubs/en_US/junos12.3x48/topics/task/installation/security-junos-os-upgrade-remote-server-srx-series-device-installing.html

http://www.juniper.net/techpubs/en_US/junos12.3x48/topics/task/installation/security-junos-os-upgrade-remote-server-srx-series-device-installing.html

http://www.juniper.net/techpubs/en_US/junos-space14.1/platform/topics/concept/junos-space-getting-started-applications-installing.html

JuniperNetworkssupport site. If youmodify the filename, then the installationor upgrade will fail.

• Validating the Firefly Perimeter OVA Image

• Validating the Firefly Perimeter JVA Image Using Linux Commands

Validating the Firefly Perimeter OVA Image

Starting with Junos OS for Firefly Perimeter Release 12.1X47-D10, the Firefly Perimeter

Open Virtualization Format Archive (OVA) image is securely signed. You can validate the

OVA image, if necessary. However, you can install or upgrade Firefly Perimeter without

validating theOVA image.Before youvalidate theOVA image, ensure that theLinux/UNIX

PC on which you are performing the validation has the following utilities available: tar,

openssl, and ovftool. You can download the VMware Open Virtualization Format (OVF)

tool from the following location: https://my.vmware.com/web/vmware/details?

productId=353&downloadGroup=OVFTOOL351

To validate the OVA image:

1. Download the Firefly Perimeter OVA image and the Juniper Networks root certificate

file (JuniperRootRSACA.pem) from the Firefly Perimeter downloads page at

https://www.juniper.net/support/downloads/?p=firefly#sw.

NOTE: You need to download the Juniper Networks root certificate fileonly once; you can use the same file to validate OVA images for futurereleases of Firefly Perimeter.

2. (Optional) If you downloaded the OVA image and the certificate file to a PC that is

runningWindows, copy the two files to a temporary directory on a PC that is running

Linux or UNIX. You can also copy theOVA image and the certificate file to a temporary

directory (/var/tmp or /tmp) on a Firefly Perimeter node.

Ensure that the OVA image file and the Juniper Networks root certificate file are not

modified during the validation procedure. You can do this by assigning write access

to these files only to the user performing the validation procedure. This is especially

important if you use an accessible temporary directory, such as /tmp or /var/tmp,

becausesuchdirectories canbeaccessedbyseveral users. Takeprecautions toensure

that the files are not modified by other users during the validation procedure.

3. Navigate to the directory that contains the OVA image.

4. Unpack the OVA image by running the following command:

tar xf ova-filename

where ova-filename is the filename of the previously downloaded OVA image.

5. Verify that the unpacked OVA image contains a certificate chain file (certchain.pem)

and a signature file (vsrx.cert).



https://my.vmware.com/web/vmware/details?productId=353&downloadGroup=OVFTOOL351

https://my.vmware.com/web/vmware/details?productId=353&downloadGroup=OVFTOOL351

https://www.juniper.net/support/downloads/?p=firefly#sw

6. Validate thesignature in theunpackedOVF file (extension .ovf)by running the following

command:

ovftool ova-filename

where ovf-filename is the filename of the unpacked OVF file that is contained within

the previously downloaded OVA image.

7. After theunpackedOVF file is validated, validate the signing certificatewith the Juniper

Networks root CA file by running the following command

openssl verify -CAfile JuniperRootRSACA.pem -untrusted Certificate-Chain-FileSignature-file

where JuniperRootRSACA.pem is the JuniperNetworks rootCAfile,Certificate-Chain-File

is the filename of the unpacked certificate chain file (extension .pem), and

Signature-file is the filename of the unpacked signature file (extension .cert).

If the validation is successful, a message indicating that the validation is successful

is displayed.

A sample of the validation procedure is as follows:

-bash-4.1$ lsJuniperRootCA.pem junos-vsrx-12.1X47-D10.4-domestic.ova-bash-4.1$ mkdir tmp-bash-4.1$ cd tmp-bash-4.1$ tar xf ../junos-vsrx-12.1X47-D10.4-domestic.ova-bash-4.1$ lscertchain.pem junos-vsrx-12.1X47-D10.4-domestic.cert junos-vsrx-12.1X47-D10.4-domestic-disk1.vmdk junos-vsrx-12.1X47-D10.4-domestic.mf junos-vsrx-12.1X47-D10.4-domestic.ovf-bash-4.1$ /usr/lib/vmware-ovftool/ovftool junos-vsrx-12.1X47-D10.4-domestic.ovfOVF version: 1.0VirtualApp: falseName: Firefly PerimeterVersion: JUNOS 12.1Vendor: Juniper Networks Inc.Product URL:

http://www.juniper.net/us/en/products-services/software/security/vsrxseries/Vendor URL: http://www.juniper.net/Download Size: 227.29 MB

Deployment Sizes: Flat disks: 2.00 GB Sparse disks: 265.25 MB

Networks: Name: VM Network Description: The VM Network network

Virtual Machines: Name: Juniper Virtual SRX Operating System: freebsdguest Virtual Hardware: Families: vmx-07 Number of CPUs: 2



Cores per socket: 1 Memory: 2.00 GB

Disks: Index: 0 Instance ID: 5 Capacity: 2.00 GB Disk Types: IDE

NICs: Adapter Type: E1000 Connection: VM Network

Adapter Type: E1000 Connection: VM Network

Deployment Options: Id: 2GvRAM Label: 2G vRAM Description: 2G Memory

-bash-4.1$ openssl verify -CAfile ../JuniperRootCA.pem -untrusted certchain.pem junos-vsrx-12.1X47-D10.2-domestic.certjunos-vsrx-12.1X47-D10.2-domestic.cert: OK

8. (Optional) If the validation is not successful, perform the following tasks:

a. Determine if the contents of the OVA image have beenmodified. If the contents

havebeenmodified, download theOVA image fromtheFireflyPerimeterdownloads

page.

b. Determine if the Juniper Networks root CA file is corrupted or modified. If it was

corrupted or modified, download the certificate file from the Firefly Perimeter

downloads page.

c. Retry the preceding validation steps using one or both new files.

Validating the Firefly Perimeter JVA Image Using Linux Commands

The Firefly Perimeter.jva format includes an embedded digital signature that can be

validated to ensure authenticity of the content. In order to do so, along with the .jva file,

youwill need a copy of the Juniper Networks root certificate. Once you have downloaded

both files, you will need to run a set of commands to extract the contents within the .jva

file, authenticate the embedded signature with the signing certificate, and authenticate

the signing certificate with the Juniper Networks root certificate.

Once you have the .jva file and Juniper Networks root certificate file in the samedirectory,

use the following commands:

1. bash junos-vsrx-12.1X47-D10.4-domestic.jva -x (Press 'y' to accept the EULA.)

2. ls (This command shows the newly created directory that contains the .jva contents.)

3. cd (This commandopens the newly createddirectory that contains the .jva contents.)







4. openssl x509 -pubkey -noout -in vsrx.cert > public.pem (This command extracts the

public key from the signing certificate.)

5. head -1 vsrx.cert | awk '{print $2}' | xxd -p -r> signature.binary (This command converts

the hex-encoded signature to binary format.)

6. openssldgst-sha1-verifypublic.pem-signaturesignature.binaryvsrx.sig (Thiscommand

validates the signature with the signing certifcate. A successful validation returns the

message “Verified OK”.)

7. openssl verify -CAfile ../JuniperRootCA.pem -untrusted certchain.pem vsrx.cer (This

command validates the signing certificate with the Juniper Networks root certificate.

A successful validation returns the message “vsrx.cert: OK”.)

A sample of the JVA signature validation procedure using Linux commands is as follows:

-bash-4.1$ lsJuniperRootCA.pem junos-vsrx-12.1X47-D10.4-domestic.jva-bash-4.1$ bash junos-vsrx-12.1X47-D10.4-domestic.jva -xAccept?[y/n]yExtracting ...Image dumped: junos-vsrx-12.1X47-D10.4-domestic/junos-vsrx-12.1X47-D10.4-domestic.img-rw-r--r-- 1 dkan nscn 278659072 Aug 15 10:05 junos-vsrx-12.1X47-D10.4-domestic/junos-vsrx-12.1X47-D10.4-domestic.img-bash-4.1$ lsJuniperRootCA.pem junos-vsrx-12.1X47-D10.4-domestic junos-vsrx-12.1X47-D10.4-domestic.jva-bash-4.1$ cd junos-vsrx-12.1X47-D10.4-domestic-bash-4.1$ lscertchain.pem junos-vsrx-12.1X47-D10.4-domestic.img vsrx.cert vsrx.sig vsrx.xml-bash-4.1$ openssl verify -CAfile ../JuniperRootCA.pem -untrusted certchain.pem vsrx.certvsrx.cert: OK-bash-4.1$ openssl x509 -pubkey -noout -in vsrx.cert > public.pem-bash-4.1$ head -1 vsrx.cert | awk '{print $2}' | xxd -p -r > signature.binary-bash-4.1$ openssl dgst -sha1 -verify public.pem -signature signature.binary vsrx.sigVerified OK



Supported Features for Junos OS Release 12.1X47-D45 for Firefly Perimeter

Table 1 on page 10 lists the main features that are supported on Junos OS Release

12.1X47-D45 for Firefly Perimeter.

Table 1: Features Supported on Firefly Perimeter

Firefly Perimeter PlatformDescriptionFeature

VMware and KVMConsolidation of several securityfeatures into one device,protecting againstmultiple threattypes.For more information:http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-utm-index.html

Unified ThreatManagement (UTM)

VMware and KVMDetects and prevents attacks innetwork traffic.For more information:http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-idp-index.html

IntrusionDetection andPrevention (IDP)

VMware and KVMFilters packets that traverse thedevice without modifying any ofthe source or destinationinformation in the IP packetheaders.For more information:http://www.junos.com/techpubs/en_US/junos12.1x45/topics/concept/security-layer2-bridging-transparent-mode-overview.html

Transparent mode

VMware and KVMProvides security to IP flowsthrough the use of authenticationand encryption.For more information:http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-vpn-ipsec.html

IPsec VPN



http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-utm-index.html





http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-idp-index.html





http://www.junos.com/techpubs/en_US/junos12.1x45/topics/concept/security-layer2-bridging-transparent-mode-overview.html




http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-vpn-ipsec.html





Table 1: Features Supported on Firefly Perimeter (continued)


KVMKVM hypervisor environmentsupports chassis cluster using theVirtIO driver and interfaces.For more information:http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-chassis-cluster.html

Chassis cluster supportfor VirtIO driver

VMware and KVMSupports transparent mode onchassis cluster.For more information:http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-chassis-cluster.html

Transparent modechassis cluster support

VMwareVMware vSphere5.5 supported inaddition to VMware vSphere 5.0and 5.1.

VMware vSphere 5.5support

VMware and KVMIdentifiesattackersanddealswithabuse without NAT logging foreach connection or port block.For more information:http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-nat.html#overview

Deterministic NAT

VMware and KVMAllocates ports to subscribers inblocks and generates logs duringblock allocation or release.For more information:http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-nat.html#overview

Port Block Allocation(PBA) NAT



http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-chassis-cluster.html










http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-nat.html#overview












VMware and KVMStarting in Junos OS for FireflyPerimeter Release 12.1X47-D20,AppID is supported. This featureidentifies applications as parts ofapplication clusters inTCP/UDP/ICMP traffic. AppIDstrengthens the firewall atdifferent network layers usingdifferent techniques rather thanport numbers and IP addresses.Application signatures aremodified to provide security atapplication levels. For moreinformation:http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-application-identification.html

ApplicationIdentification (AppID)

VMware and KVMStarting in Junos OS for FireflyPerimeter Release 12.1X47-D20,AppQoS is supported. AppQoS isa part of the AppSecure suite ofcomponents. This featureexpands thecapabilityofAppQoSto includemarkingDiffServe codepoint (DSCP) values based onLayer 7 application. Rate-limiter,DSCP rewrite, set loss priority,priority, and queue traffic are thetechniques used by AppQoS. Formore information:http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/security-application-qos-understanding.html

Application Quality ofService (AppQoS)

VMware and KVMStarting in Junos OS for FireflyPerimeter Release 12.1X47-D20,AppFirewall is supported. Formore information:http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/application-firewall-overview.html

Application Firewall(AppFW)

VMware and KVMStarting in Firefly Perimeter12.1X47-D20, DHCP is supported.DHCP is based on BOOTP, abootstrap protocol that allows aclient to discover its own IPaddress, the IPaddressofa serverhost, and thenameofabootstrapfile.

Dynamic HostConfiguration Protocol(DHCP)



http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-application-identification.html





http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/security-application-qos-understanding.html





http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/application-firewall-overview.html



Licensing

Starting with Junos OS Release 12.1X47-D20 for Firefly Perimeter, licenses are required

for advanced security features such as UTM, IPS, and AppSecure.

Licenses are usually ordered when the software application is purchased, and this

information isbound toacustomer ID. If youdidnotorder the licenseswhenyoupurchased

your software application, contact your account team or Juniper Networks Customer

Care for assistance. Licenses can be procured from the Juniper Networks License

ManagementSystem(LMS). To continueusing Firefly Perimeter features after anoptional

30-dayevaluationperiod (seeFireflyPerimeterEvaluationLicense InstallationProcesson page 13), youmust purchase and install the license on the device. Otherwise, thefeatures are disabled.

Table 2 on page 13 lists the Firefly Perimeter license information.

Table 2: Firefly Perimeter License Information

DescriptionLicense Details

1-, 3-, and 5-year standalone and bundle SKUs.License Type

License authorization code issued with purchase. The keyis obtained with the authorization code.

License Key

License key is valid for multiple instances and contains acustomer ID.

License Key Validity

Same as purchased license.License Key Duration

Activated with license key.License Key Activation

Enforced with license key.License Enforcement

NOTE: If you are performing a software downgrade with licenses installed,youwill seeanerrormessage in theCLIwhenyou try toconfigure the licensedfeatures or run the command show system license status.

We recommend that you delete the existing licenses before performing asoftware downgrade.

Firefly Perimeter Evaluation License Installation Process

Juniper Networks provides a 30-day evaluation license for Firefly Perimeter advanced

security features. You candownload the evaluation license from theEvaluationDownload

link. Installation of the evaluation license is similar to the regular license installation using

the CLI. See Firefly Perimeter License Installation Process on page 14.



https://www.juniper.net/generate_license/

https://www.juniper.net/generate_license/

http://www.juniper.net/us/en/products-services/security/firefly-perimeter

NOTE: The 30-day evaluation license period begins from the day you enablethe enhanced security features after installing the evaluation licenses.

Firefly Perimeter License Installation Process

You can install Firefly Perimeter licenses using the following options:

• J-Web interface

• Junos OS CLI

To install a license from the J-Web interface:

1. SelectMaintain>Licenses on the J-Web user interface. The Licenses window is

displayed as shown in Figure 1 on page 14.

Figure 1: LicensesWindow

2. Click Add. The Add License window is displayed as shown in Figure 2 on page 14.

3. Enter the full URL to the destination file containing the license key in the License File

URL box or paste the license key text, in plain-text format, in the License Key Text

box.

Figure 2: Add LicenseWindow

4. ClickOK to add the license key. The License Details window is displayed as shown in

Figure 3 on page 15.



Figure 3: License DetailsWindow

5. The license key is installed and activated on Firefly Perimeter.

To install a license from the CLI:

1. View the details of the license by entering the show system license command.

2. Install the license by entering the request system license add terminal command.

3. Enter the license key and press CTRL+D to end your input.

root@host>root@host> show system license

License usage: Licenses Licenses Licenses Expiry Feature name used installed neededwf key websense ewf 1 0 1 invalid

Licenses installed: none

root@host> request system license add terminal [Type ^D at a new line to end input, enter blank line between each license key]

E413012057 aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff aaaaaa aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff

E413012057: successfully added add license complete (no errors)

root@host> show system license

License usage: Licenses Licenses Licenses Expiry Feature name used installed neededwf key websense ewf 1 1 0 2015-12-31 08:00:00 CST

Licenses installed: License identifier: E413012057 License version: 4 Software Serial Number: FFPVSRXESXCN Customer ID: TEST-USER-SYSTEM Features: wf_key websense_ewf - Web Filtering EWF date-based, 2014-11-01 08:00:00 CST - 2015-12-31 08:00:00 CST



NOTE: You can save the license key to a file and upload this file to theFirefly Perimeter file system through FTP or Secure Copy Protocol (SCP).Install the license, and thenuse the showsystemlicensecommand toview

the updated license information.

4. The license key is installed and activated on Firefly Perimeter.

Updating Firefly Perimeter Licenses

You can update the Firefly Perimeter licenses using the following twomethods.

• Automatic license update using the CLI

• Manual license update using the CLI

To enable automatic license updates from the CLI:

1. Obtain a valid license.

2. Configure a valid update server at https://ae1.juniper.net.

3. Contact your account team or Juniper Networks Customer Care for assistance.

4. Use the following configuration to enable automatic license updates.

root@host>

system { license { autoupdate { url https://url.of.license.server; } renew before-expiration 30 interval 6; }}

The configuration allowsFirefly Perimeter to contact the license server 30daysbefore

the current license expires and sends an automatic update request every 6 hours.

Tomanually update the license from the CLI:

1. Update the license by entering the request system license update url

https://url.of.license.server command.

2. Check the status of the license by entering the show system license command.

This command sends a license update request to the license server immediately.

Firefly Perimeter Feature LicenseModels

For informationabouthowtopurchaseasoftware license, contact your JuniperNetworks

sales representative at http://www.juniper.net/in/en/contact-us/.



https://ae1.juniper.net

http://www.juniper.net/in/en/contact-us/

The same license key can be installed onmultiple devices as long as it is not installed on

more devices than the licensewas purchased for. Table 3 on page 17 describes the Firefly

Perimeter features that require licenses.

Table 3: Firefly Perimeter Feature Licenses

Feature

Application Signature Update (Application Identification)

IDP Signature Update

Juniper-Sophos Antivirus

Juniper-Sophos Antispam

Juniper-Websense EnhancedWeb Filter

Each license allows you to run the specified advanced software features on Firefly

Perimeter.

Features Supported on Firefly Perimeter

Firefly Perimeter inherits many features from the SRX Series product line. However,

becausesomeSRXSeries featuresarenotdirectly applicable inavirtualizedenvironment,

they have been excluded from the Firefly Perimeter product line. Table 4 on page 17

describes the available features on Firefly Perimeter as of JunosOSRelease 12.1X47-D45.

For feature roadmap details, contact your Juniper Networks representative.

Table 4: Features Supported on Firefly Perimeter

SupportonFireflyPerimeterFeature

Address Books and Address Sets:

YesAddress books

YesAddress sets

YesGlobal address objects or sets

YesNested address groups

Administrator Authentication:

YesLocal authentication

YesRADIUS

YesTACACS+

Alarms:

YesChassis alarms





YesInterface alarms

YesSystem alarms

Application Layer Gateways:

YesDNS ALG

YesDNS doctoring support

YesDNS, FTP, RTSP, and TFTP ALGs (Layer 2) with chassisclustering

YesDSCPmarking for SIP, H.323, MGCP, and SCCP ALGs

YesFTP

YesH.323

NoAvaya H.323

YesIKE

YesMGCP

YesPPTP

YesRSH

YesRTSP

YesSCCP

YesSIP

YesSIP ALG–NEC

YesSQL

YesMS RPC

YesSUN RPC

YesTALK

YesTFTP

Attack Detection and Prevention:





YesBad IP option

YesBlock fragment traffic

YesFIN flag without ACK flag set protection

YesICMP flood protection

YesICMP fragment protection

YesIP address spoof

YesIP address sweep

YesIP record route option

YesIP security option

YesIP stream option

YesIP strict source route option

YesIP timestamp option

YesLand attack protection

YesLarge size ICMP packet protection

YesLoose source route option

YesPing of death attack protection

YesPort scan

YesSource IP-based session limit

YesSYN-ACK-ACK proxy protection

YesSYN and FIN flags set protection

YesSYN flood protection

YesSYN fragment protection

YesTCP address sweep

YesTCP packet without flag set protection





YesTeardrop attack protection

YesUDP address sweep

YesUDP flood protection

YesUnknown IP protocol protection

YesWhitelist for SYN flood screens

YesWinNuke attack protection

Authentication with IC Series Devices:

YesCaptive Portal

YesJunos OS Layer 3 enforcement in UAC deployments

NoJunos OS Layer 2 enforcement in UAC deployments

NOTE: UAC-IPS and UAC-UTM are also not supported.

Autoinstallation:

YesAutoinstallation

Class of Service:

YesClassifiers

YesCode-point aliases

YesEgress interface shaping

YesForwarding classes

NoHigh-priority queue on Services Processing Card

YesIngress interface policer

YesSchedulers

YesSimple filters

YesTransmission queues

YesTunnels

NOTE: GRE and IP-IP tunnels only.





YesVirtual channels

Diagnostics Tools:

YesCLI terminal

YesFlowmonitoring cflowd version 5 and flowmonitoring cflowdversion 8

NoFlowmonitoring cflowd version 9

YesPing host

YesPing MPLS

NoPing Ethernet (CFM)

YesTraceroute

NoTraceroute Ethernet (CFM)

DNS Proxy:

YesDNS proxy cache

YesDNS proxy with split DNS

NoDynamic DNS

Dynamic Host Configuration Protocol:

YesDHCPv6 client

YesDHCPv4 client

YesDHCPv6 relay agent

YesDHCPv4 relay agent

YesDHCPv6 server

YesDHCPv4 server

YesDHCP server address pools

YesDHCP server static mapping

Ethernet Link Aggregation:

Routingmode:





NoLACP in chassis cluster pair

NoLACP in standalone device

NoLayer 3 LAG on routed ports

NoStatic LAG in chassis cluster mode

NoStatic LAG in standalonemode

Ethernet Link Fault Management:

Interfaces supported:

NoLACP in chassis cluster pair

NoLACP in standalonemode

NoStatic LAG in chassis cluster mode

NoStatic LAG in standalonemode

Physical interface (encapsulations):

Noethernet-ccc

Noextended-vlan-ccc

Noethernet-tcc

Noextended-vlan-tcc

Interface family:

Noccc

Noethernet-switching

Yesinet

Yesinet6

Yesiso

Yesmpls

Notcc





Aggregated Ethernet interface:

NoLACP enabled LAG

NoStatic LAG

Interface family:

Noethernet-switching

Yesinet

Yesinet6

Yesiso

Yesmpls

File Management:

YesArchive files

YesCalculate checksum

YesCompare files

YesClean up unnecessary files

YesDelete backup software image

YesDelete individual files

YesDownload system files

YesEncrypt/decrypt configuration files

YesManage account files

YesMonitor start

YesRename files

YesRescue

YesSystem zeroize

Firewall Authentication:





YesFirewall authentication on Layer 2 transparent authentication

YesLDAP authentication server

YesLocal authentication server

YesPass-through authentication

YesRADIUS authentication server

YesSecurID authentication server

YesWeb authentication

Flow-Based and Packet-Based Processing:

YesAlarms and auditing

NoEnd-to-end packet debugging

YesFlow-based processing

NoNetwork processor bundling

YesPacket-based processing

YesSelective stateless packet-based services

Interfaces:

Physical and Virtual Interface:

YesEthernet interface

YesGigabit Ethernet interface

Services:

NoAggregated Ethernet interface

YesGRE interface

NoIEEE 802.1X dynamic VLAN assignment

NoIEEE 802.1X MAC bypass

NoIEEE 802.1X port-based authentication control withmultisupplicant support





NoInterleaving using MLFR

NoInternally configured interface used by the system as a controlpath between theWXC Integrated Services Module and theRouting Engine

YesInternally generated GRE interface (gr-0/0/0)

YesInternally generated IP-over-IP interface (ip-0/0/0)

YesInternally generated link services interface

YesInternally generated PIM de-encapsulation interface

YesInternally generated PIM encapsulation interface

YesLink fragmentation and interleaving interface

YesLink services interface

YesLoopback interface

YesManagement interface

NoPPP interface

NoPPPoE-based radio-to-router protocol

NoPPPoE interface

YesPromiscuous mode on interfaces

NOTE: Promiscuous mode needs to be enabled on hypervisor.

YesSecure tunnel interface

IP Monitoring:

YesIP monitoring with route failover (for standalone devices andredundant Ethernet interfaces)

YesIP monitoring with interface failover (for standalone devices)

NoTrack IP enhancements (IP monitoring using RPM)

IP Security:

NoAcadia - Clientless VPN





YesAlarms and auditing

YesAntireplay (packet replay attack prevention)

YesAuthentication

YesAuthentication Header (AH)

YesAutokey management

YesAutomated certificate enrollment using SCEP

YesAutomatic generation of self-signed certificates

YesBridge domain and transparent mode

YesCertificate - Configure local certificate sent to peer

YesCertificate - Configure requested CA of peer certificate

YesCertificate - Encoding: PKCS7, X509, PEM, DERs

YesCertificate - RSA signature

YesChassis clusters (active/backup and active/active)

NOTE: VMware platform only.

YesCoS

YesCRL update at user-specified interval

YesConfig mode (draft-dukes-ike-mode-cfg-03)

YesDead peer detection (DPD)

YesDiffie-Hellman (PFS) Group 1



YesDiffie-Hellman Group 1







YesDigital signature generation

YesDynamic IP address

NoDynamic IPsec VPNs

YesEncapsulating Security Payload (ESP) protocol

YesEncryption algorithm 3DES

YesEncryption algorithm AES 128, 192, and 256

YesEncryption algorithm DES

YesEncryption algorithms NULL (authentication only)

YesEntrust, Microsoft, and Verisign certificate authorities (CAs)

YesExternal Extended Authentication (Xauth) to a RADIUS serverfor remote access connections

NoGroup Encrypted Transport (GET VPN)

NoGroup VPNwith dynamic policies

YesHard lifetime limit

NoHardware IPsec (bulk crypto) Cavium/RMI

YesHash algorithms MD5

YesHash algorithms SHA-1

YesHash algorithms SHA-2 (SHA-256)

YesHub & spoke VPN

YesIdle timers for IKE

YesImprovements in VPN debug capabilities

YesInitial contact

YesInvalid SPI response

YesIKE Diffie-Hellman Group 14 support





YesIKE Phase 1

YesIKE Phase 1 lifetime

YesIKE Phase 2

YesIKE Phase 2 lifetime

NoIKE and IPsec predefine proposal sets to work with dynamicVPN client

YesIPsec tunnel termination in routing instances

YesIKE support

YesIKEv1

YesIKEv1 authentication, preshared key

YesIKEv2

YesLocal IP address management support for VPN XAuth

NoLocal IP address management support for DVPN

YesManual installation of DER-encoded and PEM-encoded CRLs

YesManual key management

YesManual proxy-ID (Phase 2 ID) configuration

YesNext-Hop Tunnel Binding (NHTB)

YesNew IPsec Phase 2 authentication algorithm

YesOnline CRL retrieval through LDAP and HTTP

NoPackage dynamic VPN client

YesPolicy-based VPN

YesPreshared key (PSK)

YesPrioritization of IKE packet processing

YesReconnect to dead IKE peer





YesRemote access

YesRemote access user IKE peer

YesRemote access user-group IKE peer - group IKE ID

YesRoute-based VPN

YesSHA-2 IPsec support

YesSoft lifetime

YesStatic IP address

YesSuites: standard, compatible, basic, and custom-created

YesSupport for NHTBwhen the st0.x interface is bound to a routinginstance

YesSupport for remote access peers with shared IKE identity +mandatory XAuth

NoSupport group IKE IDs for dynamic VPN configuration

YesTOS/DSCP honoring/coloring (inner/outer)

YesTunnel mode with clear/copy/set Don't Fragment bit

YesUAC Layer 3 enforcement

YesVirtual router support for route-based VPNs

YesVPNmonitoring (proprietary)

YesX.509 encoding for IKE

YesXAuth (draft-beaulieu-ike-xauth-03)

IPv6 Support:

Flow-based forwarding and security features:

YesAdvanced flow

NoDS-Lite concentrator (aka AFTR)

NoDS-Lite initiator (aka B4)





YesFirewall filters

YesForwarding option: flowmode

YesMulticast flow

YesScreens

YesSecurity policy (firewall)

YesSecurity policy (IPS)

NoSecurity policy (user role firewall)

YesZones

YesIPv6 ALG support for FTP:

Routing, NAT, NAT-PT support

YesIPv6 ALG support for ICMP:

Routing, NAT, NAT-PT support

YesIPv6 NAT:

NAT-PT, NAT support

YesIPv6 NAT64

YesIPv6-related protocols:

BFD, BGP, ECMPv6, ICMPv6, ND, OSPFv3, RIPng

YesIPv6 ALG support for TFTP

YesSystem services:

DHCPv6, DNS, FTP, HTTP, ping, SNMP, SSH, syslog, Telnet,traceroute

Packet-based forwarding and security features:

YesCoS

YesFirewall filters

YesForwarding option: packet mode





Chassis Cluster

Chassis Cluster Support on VMware:

YesActive-active

YesActive-passive

YesALGs

YesChassis cluster formation

YesControl plane failover

YesDampening time between back-to-back redundancy groupfailover

YesData plane failover

NoDual control links

YesDual fabric links

NoIn-band cluster upgrade

YesJunos OS flow-based routing functionality

NoLayer 2 Ethernet switching capacity

NoLayer 2 LAG

NoLayer 3 LAG

NoLACP support for Layer 2

NoLACP support for Layer 3

NoLow-impact cluster upgrade (ISSU Light)

NoLow latency firewall

YesMulticast flow

YesMulticast routing

NoPPPoE over redundant Ethernet interface

YesRedundant Ethernet interfaces





NoRedundant Ethernet interface LAGs

YesRedundant Ethernet or aggregate Ethernet interfacemonitoring

YesRedundancy group 0 (backup for Routing Engine)

YesRedundancy group 1 through 128

YesStateful Failover - IPsec VPN (policy based)

YesStateful Failover - IPsec VPN (route based)

YesUpstream device IP address monitoring

YesUpstream device IP address monitoring on a backup interface

Chassis Management

YesChassis management (support on VMware)

Chassis cluster support on KVM:

YesChassis cluster for VirtIO driver

NOTE: ForVirtIO interfaces, link status update is not supported.The link status of VirtIO interfaces is always reported as UP.Therefore the Firefly Perimeter implementation usingVirtIO andchassis cluster cannot receive link up and link downmessagesfrom VirtIO interfaces.

IPv6 IP Security:

Yes4in4 and 6in6 policy-based site-to-site VPN, AutoKey IKEv1

Yes4in4 and 6in6 policy-based site-to-site VPN, manual key

Yes4in4 and 6in6 route-based site-to-site VPN, AutoKey IKEv1

Yes4in4 and 6in6 route-based site-to-site VPN, manual key

Log File Formats:

System (control plane) log file formats:

NoBinary format (binary)

YesStructured syslog (sd-syslog)

YesSyslog (syslog)





NoWebTrends Enhanced Log Format (WELF)

Security (data plane) log file formats:

YesBinary format (binary)

YesStructured syslog (sd-syslog)

YesSyslog (syslog)

YesWebTrends enhanced log format (WELF)

MPLS:

NoCCC and TCC

YesCLNS

YesInterprovider and carrier-of-carriers VPNs

Yes

NOTE: Promiscuous modeneeds to be enabled onhypervisor.

Layer 2 VPNs for Ethernet connections

YesLayer 3 MPLS VPNs

YesLDP

YesMPLS VPNs with VRF tables on PE routers

YesMulticast VPNs

YesOSPF and IS-IS traffic engineering extensions

YesP2MP LSPs

YesRSVP

YesSecondary and standby LSPs

YesStandards-based fast reroute

Multicast:

YesFiltering PIM register messages

YesIGMP





YesPIM RPF routing table

YesPIM Static RP

YesPrimary routing mode (densemode for LAN and sparse modefor WAN)

YesSDP

YesSession Announcement Protocol (SAP)

Multicast VPN:

YesBasic multicast features in C-instance

YesMulticast VPNmembership discovery with BGP

YesP2MP LSP support

YesP2MPOAM - P2MP LSP ping

YesReliable multicast VPN routing information exchange

Network Address Translation:

YesDestination IP address translation

YesDisabling source NAT port randomization

YesInterface source NAT pool port

YesNAT address pool utilization threshold status

YesNAT traversal (NAT-T) for site-to-site IPsec VPNs (IPv4)

YesPersistent NAT

YesPersistent NAT binding for wildcard ports

YesPersistent NAT hairpinning

NoMaximize persistent NAT bindings

YesPool translation

YesProxy ARP (IPv4)

YesProxy NDP (IPv6)





YesRemoving persistent NAT query bindings

YesRule-based NAT

YesRule translation

YesSource address and group address translation for multicastflows

YesSource IP address translation

YesStatic NAT

YesDeterministic NAT

YesPBA NAT

Network Operations and Troubleshooting:

YesEvent policies

YesEvent scripts

YesOperation scripts

YesXSLT commit scripts

Network Time Protocol:

Yes

NOTE: VMware recommendsusing NTP and disabling timesynchronization in theVMwaretools.

NTP support

Packet Capture:

YesPacket capture

NOTE: Packet capture, in this context, refers to standardinterface packet capture. It is not part of the IPS. Packet captureis supported only on physical interfaces and tunnel interfaces;for example, gr, ip, st0. Packet capture is not supported onredundant Ethernet interfaces (reth).

Real-Time PerformanceMonitoring Probe

YesRPM probe

YesOne-way timestamps





Routing:

YesBGP

YesBGP extensions for IPv6

NoBGP Flowspec

NoCompressed Real-Time Transport Protocol (CRTP)

NoECMP flow-based forwarding

YesInternet Group Management Protocol (IGMP)

YesIPv4 options and broadcast Internet diagrams

YesIPv6 routing, forwarding, global address configuration, andInternet Control Message Protocol (ICMP)

YesIS-IS

YesMultiple virtual routers

YesNeighbor Discovery Protocol (NDP) and Secure NDP

YesOSPF v2

YesOSPF v3

YesRIP next generation (RIPng)

YesRIP v1, v2

YesStatic routing

YesVirtual Router Redundancy Protocol (VRRP)

SecureWeb Access:

YesCAs

YesHTTP

YesHTTPS

Security Policy Support:

YesAddress books/address sets





YesCommon predefined applications

YesCustom policy applications

YesGlobal policy

YesPolicy application timeouts

YesPolicy applications and application sets

YesPolicy hit-count tracking

YesSchedulers

YesSecurity policies for self-traffic

NoSSL proxy

NoUser role firewall

YesShadow policy

Security Zone:

YesFunctional zone

YesSecurity zone

Session Logging:

YesAccelerating security and traffic logging

YesAggressive session aging

YesGetting information about sessions

YesLogging to a single server

YesSession logging with NAT information

SMTP:

YesSMTP support

SNMP:

YesSNMP support

Stateless Firewall Filters:





YesStateless firewall filters (ACLs)

NoStateless firewall filters (simple filter)

System Log Files:

YesArchiving system logs

YesConfiguring system logmessages

YesDisabling system logs

YesFiltering system logmessages

YesMultiple system log servers (control-plane logs)

YesSending system logmessages to a file

YesSending system logmessages to a user terminal

YesViewing data plane logs

YesViewing system logmessages

IDP/IPS

For SRX Series IDP/IPS configuration details, see:

https://www.juniper.net/techpubs/en_US/junos12.1X47/information-products/pathway-pages/security/security-idp-index.html.

YesAccess Control on IPS audit log

NoDiffServ code point (DSCP)marking

YesIPS alarms and auditing

YesIPS and UAC coordinated threat

NoIPS application DDoS (AppDDoS) rule base

NoIPS application identification (AppID)

YesIPS class-of-service action

NoIPS cryptographic key handling

YesIPS in an active/active chassis cluster



https://www.juniper.net/techpubs/en_US/junos12.1X47/information-products/pathway-pages/security/security-idp-index.html





NoIPS operational mode - inline tap

YesIPS logging

YesIPSmonitoring and debugging

YesIPS policy

YesIPS rule base

YesIPS security packet capture

YesIPS signature database

NoIPS SSL inspection

YesJumbo frames

NoNested Application Identification

NoPerformance and capacity tuning for IPS

YesSNMPMIB for IPSmonitoring

Transparent Mode:

For information on configuring Firefly Perimeter in transparent mode, see:

http://www.juniper.net/techpubs/en_US/junos12.1X47/information-products/pathway-pages/security/security-layer2-bridging-transparent-mode.pdf.

NoApplication DoS (AppDDoS)

YesApplication Firewall (AppFW)

YesApplication QoS (AppQoS)

YesApplication Tracking (AppTrack)

YesBridge domain and transparent mode

YesChassis clusters (active/backup and active/active)

YesClass of service

YesIPv6 flows

NoIPv6 security mode



http://www.juniper.net/techpubs/en_US/junos12.1X47/information-products/pathway-pages/security/security-layer2-bridging-transparent-mode.pdf





NoUser role firewall

YesUTM

Public Key Infrastructure (PKI)

YesCertificate chaining (8-deep)

UTM

For SRX Series UTM configuration details, see:

https://www.juniper.net/techpubs/en_US/junos12.1X47/information-products/pathway-pages/security/security-utm-index.html.

For SRX Series UTM Series Antispam configuration details, see:

https://www.juniper.net/techpubs/en_US/junos12.1X47/information-products/pathway-pages/security/security-utm-antispam.html.

YesAntispam (AS)

NoAntivirus (AV) Full

YesAppSecure

YesAV Sophos

YesChassis cluster

YesContent filtering (CF)

YesEWF

NoExpress Antivirus (Express AV)

YesIPsec

NoTransparent mode

YesWeb filtering (WF)

YesWELF logging

Upgrading and Rebooting:

NoAutorecovery

No (N.A.)Boot device configuration

No (N.A.)Boot device recovery



https://www.juniper.net/techpubs/en_US/junos12.1X47/information-products/pathway-pages/security/security-utm-index.html

https://www.juniper.net/techpubs/en_US/junos12.1X47/information-products/pathway-pages/security/security-utm-index.html

https://www.juniper.net/techpubs/en_US/junos12.1X47/information-products/pathway-pages/security/security-utm-antispam.html

https://www.juniper.net/techpubs/en_US/junos12.1X47/information-products/pathway-pages/security/security-utm-antispam.html



YesChassis components control

YesChassis restart

YesDownloadmanager

NoDual-root partitioning

NoIn-band cluster upgrade

NoLow-impact cluster upgrades

YesSoftware upgrades and downgrades

User Interfaces:

YesCLI

YesJ-Web user interface

YesJunos XML protocol

YesJunos Space Security Director

Yes

Note: Supported on VMwareonly and not on KVM.

Junos Space Virtual Director

NoNetwork and Security Manager

NoSRC application

VPLS:

YesFiltering and policing (packet-based)

Table 5 on page 41 lists additional features that are not supported on Firefly Perimeter.

Table 5: Firefly Perimeter Feature Support Information

FireflyFeature

YesApplication Identification (Junos OS)

NoBGP Route Reflector

NoDynamic VPN (DVPN)



Table 5: Firefly Perimeter Feature Support Information (continued)

FireflyFeature

NoGeneral Packet Radio Service (GPRS)

NoGroup VPN

NoHardware Acceleration

NoIn-ServiceSoftwareUpgrade(forallVPNandnon-VPNfeatures)

NoLogical systems

NoMulticast for AutoVPN

NoNetwork Management and Analysis (Suite B implementationfor IPsec VPN)

NoPower over Ethernet

NoRemote Device Access

NoServices Offloading

NoUSBModem

NoVoice over Internet Protocol with Avaya

NoWireless Local Area Network

Changes in Default Behavior and Syntax in Release 12.1X47-D45 for Firefly Perimeter

• Performance onVMware 5.5 update 2 or 3 can degrade significantly (25 percent) from

previous versions because of an e1000 driver issue.

Known Behavior

The known behaviors in Firefly Perimeter are as follows:

• On Firefly Perimeter, maximum performance can be achieved using two vNICs. If you

addmore vNICs you can expect a decrease in the total performance because of the

interface driver overhead. The performance behavior is applicable to both the VMware

and the KVM environments.

• On Firefly Perimeter with a KVM chassis cluster, the secondary mode crashes into

database (db) mode after startup and after synchronizing with the primary mode.

• On Firefly Perimeter, the system halts after the login prompt from the virsh console or

the vnc console. It is unable to ping/ssh/telnet to an interface or a service. Ideally, the

system should start without a halt.



• Firefly Perimeter requires a configuration with 2 vCPUs, up to 10 vNICs, 2 GB RAM, and

2 GB disk space. When using IPS or UTM, the required memory size is 3 GB RAM.

• Firefly Perimeter supports VMware ESXi 5.0, 5.1, and 5.5. For KVM, Firefly Perimeter

supports CentOS 6.3, Ubuntu 14.04, and Contrail 1.0.

• The VM hardware version cannot be upgraded through the vSphere client.

• On Firefly Perimeter, family ethernet-switching and services unified-access-control are

not supported.

• On Firefly Perimeter, configuring an interface to do traffic loopback is not supported

because of a VMware e1000 NIC emulation limitation.

• On Firefly Perimeter, configuring XAuth with AutoVPN secure tunnel (st0) interfaces

in point-to-multipoint mode and dynamic IKE gateways is not supported.

Outstanding Issues in Junos OS Release 12.1X47-D45 for Firefly Perimeter

There are no outstanding issues in Junos OS Release 12.1X47-D45 for Firefly Perimeter.










The followingproblemscurrently exist in JuniperNetworks FireflyPerimeter. The identifier

following the description is the tracking number in the Juniper Networks ProblemReport

(PR) tracking system.

Flow and Processing

• Performance onVMware 5.5 update 2 or 3 can degrade significantly (25 percent) from

previous versions because of an e1000 driver issue. [PR 1052025]

• On Firefly Perimeter, the generic routing encapsulation (GRE) interface is down when

ge-0/0/0 is set in the routing instance. [PR 1035957]

• OnFireflyPerimeter, there is aproblemwhilehandling large labels if the remoteprovider

edge (PE) router disables the vrf-label-label command. [PR 974942]



• For a Firefly Perimeter device running on Ubuntu 14.04, the commit operation time is

slow. [PR 1060459]

• On Firefly Perimeter, while using Network Configuration Protocol (NETCONF), the

commit fails with error UI_NETCONF_ERROR: NETCON. [PR 1060646]

Chassis Cluster

• On Firefly Perimeter with a chassis cluster, proxy-ndp on a reth interface fails if the

IPv6multicast is set to “33:33:0:0:0:0”. [PR 993888]

• On Firefly Perimeter, cluster connection is unstable over a control or fabric link. [PR

1066969]





Flow and Processing

• On Firefly Perimeter with KVM VirtIO interface, packet distribution is not evenly

processed for all queues. [PR 925300]

• On Firefly Perimeter, the UDP throughput for 2 vNICs on 16 vSRX instances is less than

that for 2 vNICs on a single vSRX instance. Therefore, 1 vSRX instance (with 2 vNICs

configured) performs better than 16 instances (each with 2 vNICs configured). [PR

930500]





Chassis Cluster

• In a FireflyPerimeter Layer 2 chassis cluster,when theping command is used to retrieve

self-traffic details, a 100 percent packet loss is displayed. [PR 964069]

Flow and Processing

• On Firefly Perimeter, RT_IDS logging fails. The issue is related to an IPv6 extension

header introduced in Junos OS Release 12.1X47. [PR 959922]

Interfaces and Routing

• On Firefly Perimeter, RADIUS authentication fails if the management interface in a

routing instance is configured with a default route to the management network. [PR

949530]



Resolved Issues in Junos OS Release 12.1X47-D45 for Firefly Perimeter

There are no resolved issues in Junos OS Release 12.1X47-D45 for Firefly Perimeter.

Chassis Cluster


The followingproblemsare resolved in JunosOSRelease 12.1X47-D40forFireflyPerimeter.

Chassis Cluster

• On Firefly Perimeter with chassis cluster, when the samemonitored IP address is

configured onmultiple redundancy groups and the secondary IP address is changed,

updating the new IP address on the forwarding planemight fail. This issue is fixed. [PR

1022608]

Flow and Processing

• OnFirefly Perimeter,whenproxy-NDP is configured, Firefly Perimeter uses theNetwork

Simulator (NS) packets to create flow sessions instead of directly forwarding them to

the Routing Engine. This issue is fixed. [PR 1157715]

• OnFirefly Perimeter, a default route to theDHCP server is established even if theDHPC

option 3 is not set up. This issue is fixed. [PR 1151245]

• OnFirefly Perimeter, Ifmore than oneDHCP client interface IP addresses is configured,

and if the IP address of one interface changes because of DHCP renewal or release,

other interfaces in the RENEWING or REBINDING state will lose their IP address. This

issue is fixed. [PR 1156357]

J-Web

• On Firefly Perimeter, TCP/ICMP traffic reports are incorrectly displayed under the UDP

traffic category on J-Web. This issue is fixed. [PR 1171777]


There are no resolved issues in Junos OS Release 12.1X47-D35 for Firefly Perimeter.


The followingproblemsare resolved in JunosOSRelease 12.1X47-D30 for FireflyPerimeter.

Interfaces and Routing

• On Firefly Perimeter, when 8 to 10 interfaces are present in the virtual machine, some

packet loss might occur even at low bandwidth. This would show as RX drops on the

connected vswitch port. This issue is fixed. [PR 1117720]


The followingproblemsare resolved in JunosOSRelease 12.1X47-D25 for FireflyPerimeter.



Flow and Processing

• In Firefly Perimeter, the generic routing encapsulation (GRE) interface is down when

ge-0/0/0 is set in the routing instance. This issue is fixed. [PR 1035957]


The following problems are resolved in Juniper Networks Firefly Perimeter.

IPS

• On Firefly Perimeter, the permitted range of values to be entered in the CLI command

set security idp sensor-configuration detector protocol-name TELNET tunable-name

sc_telnet_failed_logins tunable-value incorrectly ranges from33554432 to 1677721600.

The appropriate range is 2 to 100. This results in the commit check error out of range

when a value in the appropriate range has been configured. This issue is fixed. [PR

954372]

Flow and Processing

• On Firefly Perimeter, TCP packet re-ordering causes traffic issueswhen sub-interfaces

on reth are used. This issue is fixed. [PR 1026130]

• On Firefly Perimeter, after sending telnet traffic, some incorrect source ports and

destination ports are populating in the logmessages. This issue is fixed. [PR 1058838]



Chassis Cluster

• On Firefly Perimeter with VMware, there is an issue with the chassis cluster setup in

the VMware 5.5 environment. This issue is fixed. [PR 936992]

• On Firefly Perimeter, source MAC learning might fail in Layer 2 mode if redundancy

group failover occurs immediately after an RG0 failover. Waiting 3 to 5minutes fixed

this issue. [PR 962905]

Flow and Processing

• On Firefly Perimeter, transferring UDP traffic from the same source and destination

results in a loop for further forwarding sessions. This issue is fixed. [PR 981170]

• On Firefly Perimeter, source MAC learning might fail when there is a failover in node

RG0. This issue is fixed. [PR 972358]

• On Firefly Perimeter, proxy-ndp is inactive on the reth interface. This issue is fixed. [PR

985093]





Chassis Cluster

• On Firefly Perimeter with a KVM chassis cluster, one of the interface cards appears

offline. The issueoccursbecauseofacontrol link failure. This issue is fixed. [PR966469]

• On Firefly Perimeter with a KVM chassis cluster, when the secondary node is rebooted

after a manual failure, the flowd fabric monitor or interface displays its link status as

Down. This issue is fixed. [PR 973945]

• On Firefly Perimeter with a VMware ESXi chassis cluster, a core file is generated during

a failover. This issue is fixed. [PR 976757]

• On Firefly Perimeter, the system is unable to capture the attack packets. This issue is

fixed. [PR 980858]

Flow and Processing

• On Firefly Perimeter, the secondary nodemight print SIGTERM or exit information in

the console and crash into dbmode. This issue is fixed. [PR 971280]

• On Firefly Perimeter, the reth port releases its aggregate physical interface. In this case,

no traffic is able to traverse the physical interface. This issue is fixed. [PR 978546]

IPS

• On Firefly Perimeter, Application Identification (AppID) is not supported. This issue is

fixed. [PR 957639]



Junos OS Documentation and Release Notes

For a list of related Junos OS documentation, see

http://www.juniper.net/techpubs/software/junos/.

If the information in the latest release notes differs from the information in the

documentation, follow the Junos OS Release Notes.

To obtain the most current version of all Juniper Networks®technical documentation,

see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

JuniperNetworkssupportsa technicalbookprogramtopublishbooksby JuniperNetworks

engineers and subject matter experts with book publishers around the world. These

books go beyond the technical documentation to explore the nuances of network

architecture, deployment, and administration using the Junos operating system (Junos

OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library,

published in conjunction with O'Reilly Media, explores improving network security,

reliability, and availability using Junos OS configuration techniques. All the books are for

sale at technical bookstores and book outlets around the world. The current list can be

viewed at http://www.juniper.net/books.

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can provide feedback by using either of the following

methods:

• Online feedback rating system—On any page at the Juniper Networks Technical

Documentation site at http://www.juniper.net/techpubs/index.html, simply click the

stars to rate the content, anduse thepop-up form toprovideuswith informationabout

your experience. Alternately, you can use the online feedback form at

https://www.juniper.net/cgi-bin/docbugreport/.

• E-mail—Send your comments to [email protected]. Include the

document or topic name, URL or page number, and software version (if applicable).



http://www.juniper.net/techpubs/software/junos/

http://www.juniper.net/techpubs/

http://www.juniper.net/books

http://www.juniper.net/techpubs/index.html

https://www.juniper.net/cgi-bin/docbugreport/

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistance

Center (JTAC). If you are a customer with an active J-Care or Partner Support Service

support contract, or are covered under warranty, and need post-sales technical support,

you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides youwith the

following features:

• Find CSC offerings: http://www.juniper.net/customers/support/

• Search for known bugs: http://www2.juniper.net/kb/

• Find product documentation: http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement

(SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.

Opening a Casewith JTAC

You can open a case with JTAC on theWeb or by telephone.

• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html.


Requesting Technical Support

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf

http://www.juniper.net/support/warranty/

http://www.juniper.net/customers/support/

http://www2.juniper.net/kb/

http://www.juniper.net/techpubs/

http://kb.juniper.net/

http://www.juniper.net/customers/csc/software/

https://www.juniper.net/alerts/

http://www.juniper.net/company/communities/

http://www.juniper.net/cm/

https://tools.juniper.net/SerialNumberEntitlementSearch/

http://www.juniper.net/cm/

http://www.juniper.net/support/requesting-support.html

If you are reporting a hardware or software problem, issue the following command from

the CLI before contacting support:

user@host> request support information | save filename

To provide a core file to Juniper Networks for analysis, compress the file with the gzip

utility, rename the file to include your company name, and copy it to

ftp.juniper.net/pub/incoming. Then send the filename, along with software version

information (the output of the show version command) and the configuration, to

[email protected]. For documentation issues, fill out the bug report form located at

https://www.juniper.net/cgi-bin/docbugreport/.

Revision History

11 November 2016—Revision 1, Firefly Perimeter - Release 12.1X47-D45 .

Copyright © 2016, Juniper Networks, Inc. All rights reserved.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.



mailto:[email protected]?subject=

https://www.juniper.net/cgi-bin/docbugreport/

Documents

Junos Release Notes for Junos OS Release 12.1X47-D45 for … · 2016. 11. 11. · Title: Junos Release Notes for Junos OS Release 12.1X47-D45 for Firefly Perimeter Created Date: