•
On SRX3000 and SRX5000 line devices, the maximum number of traffic-shaping
simple filter rules and policing rules has been changed. For SRX3000 line devices, the
number of simple filter and policing rules is 2000 per I/O card (IOC) for each rule type.
For SRX5000 line devices, the number of simple filter and policing rules is 2000 for
each rule type per PIM on flex I/O cards (FIOCs). This change does not affect ordinary
IOCs on SRX5000 line devices. The previous maximum of 4000 for each rule type is
not achievable because of a hardware limitation.
•
On T1/E1 Mini-Physical Interface Module installed on SRX210 and SRX240 devices,
the Loopback LED is turned ON based on the Loopback configuration as well as when
the FDL loopback commands are executed from the remote-end. The Loopback LED
remains OFF when no FDL Loopback commands are executed from the remote-end,
even though remote-loopback-respond is configured on the HOST.
•
On J4350 devices, ping does not go through even if the ISDN call is connected and the
dialer watch is configured. This issue occurs only when media MTU on Cisco devices
is bigger than the MTU configured on J Series devices. As a workaround, keep MTU
configured on the J Series device equal to or greater than the one set on the Cisco
device.
•
On SRX and J Series devices, the help description for the set <int> interface arp-resp
command incorrectly states the default value as unrestricted. The default value is
actually restricted.
Intrusion Detection and Prevention (IDP)
•
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if you want to change to
maximize-idp-sessions mode, you should configure the security forwarding-process
application-services maximize-idp-sessions command before you reboot the device to
avoid recompiling IDP policies during every commit. [PR/426575]
•
On SRX3400 devices, FTP traffic does not go through expedited-forwarding queue
class for FTP control connections. All other traffic like http, telnet and ping goes through
expedited-forwarding queue class as expected.
•
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the application identification
CLI commands have been moved from the [security idp sensor-configuration
application-identification] hierarchy to the [edit services application-identification]
hierarchy.
•
On SRX Series and J Series devices, for brute force and time-binding-related attacks,
the logging is to be done only when the match count is equal to the threshold. That is,
only one log is generated within the 60-second period in which the threshold is
measured. This process prevents repetitive logs from being generated and ensures
consistency with other IDP platforms like IDP-standalone.
When no attack is seen within the 60-second period and the BFQ entry is flushed out,
the match count starts afresh, and the new attack match shows up in the attack table,
and the log is generated as explained above.
Copyright © 2010, Juniper Networks, Inc.118
JUNOS OS 10.4 Release Notes
To Next Page
Loading...