【Changes to Default Behavior Introduced 5.4.0r1- 6.1.0r4】
in 6.1.0r4 ★ DNS Port Randomization. The ability to enable random port assignment for policy-based DIP pools has been added; both interface-based DIP pools and policy-based DIP pools can now have ports randomly assigned. Interface-based DIP pools have random port assignment by default. Policy-based DIP pools, however, are default set to port translation, so random-port must be manually enabled by an admin. The random-port keyword has been added to CLI syntax for both DIP pool and extended DIP pool: set interfaceifname ext ipip/mask dip dip_id ip_low ip_high [random-port] set interface ifname dip dip_id ip_low ip_high [random-port]
in 6.1.0r4 ★ Load-threshold. The load-threshold setting for an ISDN interface supports the range 0~100. The zero value allows for always-up capability. Use the dialer load-threshold load interface configuration command to configure the bandwidth on demand for setting the maximum load.
in 6.1.0r4 ★ ISG traffic dropping. Use the command set sat fin-close-aging num to control the session age-outs on ISG. By default session age-out for ISG is 10 seconds. Using the command prevents the packet dropping when the session inactivity age-out timer expires before time.
in 6.1.0r4 ★ Multicast routing. An administrator can now configure a multicast address to the unicast route table using the mroute command.
in 6.1.0r4 ★ Traffic shaping. Multicast traffic can now be inspected for traffic shaping. This issue can be fixed with traffic shaping before flooding the multicast packets in a layer2 zone.
in 6.1.0r4 ★ Port mapping. ScreenOS provides the port mapping for the unused management ports 443 and 53 using the WebUI. The steps to be performed every time the device reboots includes the following: 1. Set a VIP on outgoing interface on a different IP. 2. Set the port mappings for the VIP to the 443 and 53 ports. The admin SSL to be re-allocated to another port other than 443. DNS proxy to be disabled for the port 53. 3. Modify the VIP back to the interface IP.
in 6.1.0r1 ★ [SSG 140] Maximum Number of Supported Zones. In previous releases, the administrator was able to create more than the maximum amount of user-defined zones (30). With 6.1.0r1, this limit is now enforced on the SSG 140.
in 6.1.0r1 ★ NSRP Active-Active Configuration in Transparent Mode. The virtual security device (VSD) is determined by the VLAN tag in Transparent mode instead of the VMAC in Route/NAT mode.
in 6.1.0r1 ★ Consistent NAT Behavior Across Platforms. ScreenOS now provides a consistent NAT behavior across all platforms. This includes the following: ■ Allows VIP and MIP to be the same as interface on any Layer 3 zone instead of only the Untrust zone ■ Allows VIP and MIP to be on the same interface with the same IP ■ Adds new CLI set interface interface-num vip interface-ip and change set interface interface-num vip untrust-ip to a hidden command.
in 6.1.0r1 ★ SA IDs Displayed Consistently in the Same Base. With this release of ScreenOS, Security Association (SA) IDs are displayed in Hex both when using the get sa command and in the displayed configuration.
in 6.1.0r1 ★ Performance Enhancement. The ISG 1000 platform supports enhanced performance to 2Gbps.
in 6.1.0r1 ★ Increase in Limit of Entries in Routing Tables. With ScreenOS 6.1.0, running on the SSG 520/520M/550/550M platforms, routing and forwarding tables can have 250,000 entries, which is increased from the earlier limit of 20,000. The routing tables accept 250,000 total routes including connected, static, imported, and those learned from the routing protocols.
in 6.1.0r1 ★ Wildcard Masks. ScreenOS 6.1.0 provides an option to use wildcard masks in IP addresses. If you configure a policy that uses wildcard masks, the system prompts that a wildcard address or wildcard policy is configured because using wildcard address/wildcard policy causes a performance penalty.
in 6.1.0r1 ★ “Deny” Option in Access Lists in Multicast Policies. ScreenOS provides an option to include a deny option in access lists in the multicast policy. This might appear as an increase in the number of multicast access lists.
in 6.1.0r1 ★ Session Capacity Increases. Session capacity increases as listed below. Platform| Sessions SSG 5/SSG 20 /8,000 SSG 5/SSG 20 - Adv 16,000 SSG 140 /48,000 SSG 320M /none SSG 350M /none SSG 520/SSG 520M /128,000 SSG 550/SSG 550M /256,000 ISG 1000 /512,000 ISG 1000-IDP /none ISG 2000 /1,000,000 NOTE: 2 GB of RAM required. 1 GB of RAM will allow 512,000 sessions. ISG 2000-IDP /noneNS5200/MGT2 /noneNS5400/MGT2 /2,000,000
in 6.1.0r1 ★ Increase in GTP Tunnels. ScreenOS 6.1.0 increases the maximum number of active GTP tunnels supported to 400,000 for the ISG 2000 platform and to 200,000 for the ISG 1000 platform.
in 6.1.0r1 ★ Increase in Roles per Auth Table Entry. ScreenOS 6.1.0 increases the number of roles per auth table entry from 26 to 200.
in 6.1.0r1 ★ Session Rerouting Between Tunnels and Physical Interfaces. ScreenOS 6.1.0 allows the traffic to fail over between route-based VPN tunnels and physical interfaces in the same zone when the security devices are deployed in a fully redundant network design consisting of dynamic routing and route-based VPNs. To restore the original behavior, use the set envar no-reroute-tunnel-physical=yes command.
in 6.1.0r1 ★ Increase in Maximum Tunnel Interfaces. On the NS-5000 w/MGT2 platform, ScreenOS 6.1.0 increases the maximum number of tunnel interfaces per device from 4096 to 8192.
in 6.1.0r1 ★ ETSI Standards Support. Currently, Juniper Networks security devices do not support the new wireless standard from European Telecommunications Standards Institute (ETSI), DFS2. This will result in the disabling of the frequency ranges 5250-5350 MHz and 5470-5725 MHz for all SSG 5/20 wireless systems (region ETSI) after March 2008.
in 6.1.0r1 ★ UDP Flood Screen. Juniper Networks ASIC-based security devices (NS5400, NS5200, ISG 1000, and ISG 2000) enforce configured screen options for a subinterface even when the physical interface of this subinterface is in a null security zone.
in 6.1.0r1 ★ Packet Distribution Mode Setting. On an NS5200 MGT2 with 10GE blade, you can now configure the packet distribution mode for ingress traffic as either hash or round-robin mode using the CLI command set interface interface-name mode. Default is hash mode.
in 6.1.0r1 ★ Virtual IP on Loopback Interfaces. With ScreenOS 6.1.0, you can configure the virtual IP (VIP) and Track IP addresses for a loopback interface. Earlier releases of ScreenOS did not provide this option.
in 6.1.0r1 ★ Configurable Wait Time to Confirm NSM Connection. If you manage your security device with Juniper Networks NetScreen-Security Manager (NSM), you can load the security device with a configuration from NSM. If a configuration upload fails for some reason, the security device may lose communication with the NSM server. The device can reestablish the connection with NSM by rebooting and loading the previous configuration. The device, however, is unable to immediately detect that the connection is broken, so it is necessary to wait for a specified interval and then check the connection status. The new CLI to configure the wait interval to check the connection status is set nsm bulkcli reboot-wait [seconds]. If the connection is broken, the device can be configured to wait for another specified interval and then reboot.
in 6.1.0r1 ★ Addition of HA and MGT Zones. ScreenOS 6.1.0 adds support for high availability (HA) and management (MGT) zones on the SSG 5 and SSG 20 devices. When you start these devices for the first time, the device adds the HA and MGT zones by default.
in 6.1.0r1 ★ Option to Configure Email Virus Scanning Action. ScreenOS 6.1.0 provides an option to configure the action that the security device should take if a virus is found in an email. You can choose to have the security device drop the infected email or send a notification mail to the intended recipient with the infected email replaced with an alert message.
in 6.1.0r1 ★ Firmware Information. ScreenOS 6.1.0 adds information about the firmware and its components to the output of the get system CLI command on an ISG 1000 or ISG 2000 device.
in 6.1.0r1 ★ Bgroup PPS Counters. ScreenOS 6.1.0 now displays packet-per second counters on bgroup interfaces.
in 6.1.0r1 ★ VLAN Capacity Increase. ScreenOS 6.1.0 now supports up to 4094 VLAN interfaces on ISG 1000/2000, ISG 1000/2000-IDP, and NS5x00 series devices when operating in Transparent mode.
in 6.1.0r1 ★ TCP MSS Modified for Bidirectional VPN Traffic. The TCP Maximum Segment Size (MSS) value for bidirectional VPN traffic can now be modified in the CLI. The new CLI command set flow vpn-tcp-mss number sets the same MSS for both inbound and outbound traffic. In prior ScreenOS releases, the CLI set flow tcp-mss command worked only for outbound VPN traffic. NOTE: The older command still works, but any value set using it will be overlaid if the new command is run. Running unset flow vpn-tcp-mss will cause the device to once again use the earlier value and permit use of the older command. When no MSS value is given, the default setting is 1350; when the new command is used, an MSS value configured by set flow tcp-mss will not be valid even if set flow tcp-mss is run again. [261891] 18
in 6.0.0r6 ★ AV Scan Engine The AV scan engine has been upgraded to the latest version.
in 6.0.0r3 ★ USB Boot Sequence When converting an SSG 300M-series device from ScreenOS to JUNOS, apply the set boot junos command. This command changes the boot sequence to boot from the USB instead of from the Primary CF card.
in 6.0.0r2 ★ Max Dialing Interval Default The maximum dialing interval has changed from 60 to 600 seconds. This resolves an issue in previous releases regarding the dialing interval in that sometimes dialing failed but the device did not wait long enough and instead redialed almost immediately.
in 6.0.0r2 ★ CPU Protection and Utilization Profiling As a result of implementation of CPU protection and utilization profiling features in this release, the set firewall ppu command is now hidden and nonfunctioning. Systems that currently have the command set will lose the setting when upgrading to this release.
in 6.0.0r2 ★ TCP-SYN-Check Packet Flow In previous ScreenOS releases, all three handshake packets (SYN, SYN-ACK, and ACK) were sent to the CPU when you set TCP-SYN-Check. This was the case for single-ASIC, dual-ASIC, and multi-ASIC platforms. With the 6.0.0r2 release, only the first packet (SYN) will be sent to the CPU with the following two packets (SYN-ACK and ACK) processed by the PPU (ASIC) when you set TCP-SYN-Check.
in 6.0.0r2 ★ Infranet Auth Object Cleanup In releases prior to 6.0.0r2, infranet auth table entries were removed as soon as connectivity with the Infranet Controller was lost. In this release, infranet auth table entries remain for two minutes while the device attempts to reestablish a connection to the Infranet Controller. When combined with Infranet Controller changes scheduled for release in UAC 2.1, the delay in removing auth table entries allows for better failover in Infranet Enforcer and Infranet Controller clusters.
in 6.0.0r2 ★ Infranet Auth Cold Start NSRP Synchronization In releases prior to 6.0.0r2, infranet auth table entries were synchronized between nodes in an NSRP cluster as long as both nodes were up and communicating with each other. Any infranet auth table changes that occurred while one node was down, however, would not be seen by the other node. In this release, the infranet auth table entries are synchronized between the two nodes of an NSRP cluster when they start communicating with each other.
in 6.0.0r2 ★ Infranet Controller and Management IP In releases prior to 6.0.0r2, it was not possible to use an interface with a management IP configured to communicate with the Infranet Controller. This was because the NACN message was sent from the non-management IP, and the Infranet Controller would attempt to ssh back to the Infranet Enforcer using the non-management IP, resulting in a failed connection. In this release, the management IP (if configured) is used to send NACN messages to the Infranet Controller.
in 6.0.0r2 ★ Removing Denied Sessions on Auth Table Change In releases prior to 6.0.0r2, upon removal of an infranet auth table entry, all associated sessions were terminated. However, other changes to the infranet auth table or infranet auth policies had no effect on existing sessions. In this release, when an infranet auth table entry changes, all of its associated sessions are reevaluated. Any that are no longer allowed are terminated.
in 6.0.0r1 ★ TCP-SYN-Check Default The default for NS-5200/5400 devices is set flow tcp-syn-check, which includes both SYN-bit check and a three-way handshake. In ScreenOS 6.0.0r1, the default is set tcp-syn-bit-check.
in 6.0.0r1 ★ RADIUS Attributes In ScreenOS 6.0.0r1, both calling-station and called-station IDs are supported as default behavior.
in 6.0.0r1 ★ IP Option Packets The IP option packets (record-route and timestamp) in ScreenOS 6.0.0r1 are not dropped. All four IP option packets (record-route, timestamp, security, and stream) behave consistently.
in 6.0.0r1 ★ Coredump to USB The maximum file size limitation for the coredump file is removed. The maximum USB size supported is 1GB.
in 5.4.0r21 ★ Firewall can block packets with a Routing header. Firewall has the ability to block packets with a routing header type 0. To avoid blocking all the routing headers, the firewall supports the routing header type filters using the following command: set interface <interface-name> protocol igmp no-check-ttl
in 5.4.0r19 ★ Auth Server Interface Traffic. When the set auth-server name src-interface interface command is issued, the traffic originates as “self” instead of the specified interface.
in 5.4.0r18 ★ SSL renegotiation. ScreenOS rejects SSL renegotiation from the SSL client that does not implement RFC5746.
in 5.4.0r18 ★ High flow CPU after upgrading ScreenOS. [NS 5000] Under certain conditions, only software sessions were created when there was no destination MAC address entry of the packet in the MAC learning table. As a result, subsequent packets were flooded and the CPU utilization was high.
in 5.4.0r16 ★ Unable to telnet to firewall. The telnet console displays Can't create telnet-cmd:6 task error message when the SSG devices are managed through telnet. Hence, the tasks on SSG devices have been increased to allow device management.
in 5.4.0r16 ★ Unexpected Low VPN Throughput. On NetScreen-5000 series, a new enhancement is added for VPN encryption to be distributed into different chips based on the tunnel's SA index per round robin.
in 5.4.0r14 ★ SNMP reports the wrong information for Serial and ML interface. In previous ScreenOS versions, trunked interfaces being polled using SNMP RFC MIBS for the ifOper status was showed as UP. After the upgrade, the ifOper status was showed as DOWN. For more information, see the JTAC knowledge base number KB 13962 located at http://kb.juniper.net.
in 5.4.0r14 ★ Confirm behavior of remote authentication Local authentication is tried only if the remote server is "down" and no response is received in time when the remote authentication is primary. Remote authentication is tried only if the user name does not exist in the local server when the local authentication is primary.
in 5.4.0r14 ★ Resolution of hostname to IP address of syslog or webtrends . In previous ScreenOS releases, ScreenOS resolves the hostname to IP address of syslog or webtrends only when the service is enabled. The new behavior is to resolve the hostname to IP address of syslog or webtrends immediately after being configured, the get dns host cache command will show a DNS cache entry before the service is enabled.
in 5.4.0r11 ★ DNS Port randomization. The ability to enable random port assignment for policy-based DIP pools has been added; both interface-based DIP pools and policy-based DIP pools can now have ports randomly assigned. Interface-based DIP pools have random port assignment by default. Policy-based DIP pools, however, are default set to port translation, so random-port must be manually enabled by an admin. The random-port keyword has been added to CLI syntax for both DIP pool and extended DIP pool: set interface ifname ext ipip/mask dip dip_id ip_low ip_high [random-port] set interface ifname dip dip_id ip_low ip_high [random-port]
in 5.4.0r11 ★ VPN (285743). The IKE-ID type with numeric IKE-ID from a third-party VPN device is interpreted correctly during Phase1 negotiations.
in 5.4.0r11 ★ WebUI (262490). In the WebUI, managing a device from an untrust interface using a trustee admin now functions properly.
in 5.4.0r6 ★ WLAN. The permitted frequency ranges for wireless devices has been reduced to satisfy FCC requirements. For more information, see the JTAC knowledge base number KB 9915 located at http://kb.juniper.net.
in 5.4.0r1 ★ File copy admin restriction change (NSCos67009). “save config” to/from tftp server is now restricted to root user only. “save software” transferring to tftp server is now restricted to root user only. “save file” is now restricted to root user only.
in 5.4.0r1 ★ FIPS. In the past, releases that were not FIPS certified did not allow FIPS mode to be enabled. R3 will allow FIPS mode to be enabled, even though it will not be FIPS certified.
in 5.4.0r1 ★ Global-Pro command change. CLI “set global-pro policy-manager primary outgoing-interface” is no longer supported
in 5.4.0r1 ★ HTTP Brute-Force attack. S2C HTTP protocol decoding is performed only if you configure server-to-client signature attacks. HTTP:Brute-Force, a server-to-client anomaly attack is detected if you configure. HTTP server-to-client signature attack in the policy. In the following example, HTTP:HIGH:SIGS has server-to-client signature attacks, so add HTTP:HIGH:SIGS along with HTTP:HIGH:ANOM in a policy.
in 5.4.0r1 ★ Interface limit change (NSCos65098) Hard limits (enforced in the code) were removed for “max interfaces per area” and “max interfaces per routing-instance” and made them soft limits instead. i.e. they are only recommended values and not enforced in the code. The device may not function correctly if these limits are exceeded.
in 5.4.0r1 ★ Log buffer full handling (NSCos68000/NSCos67431). After modification: when the log buffer is full and traffic passing through is stopped, the system will wait until the log buffer is empty before resuming traffic, the result is, wait a longer time to resume the traffic. This behavior is only applicable when the “set log audit-loss-mitigation” option is set. By default, this option is unset.
in 5.4.0r1 ★ MAC address handling (NSCos65912). Previously, for ASIC based platforms, when MAC cache is used, if the peers change their source MAC without sending any gratuitous ARP out, we could not update our hardware L2 table. In this case, when we want to send packets to the peer, the old MAC will be used. With this release, new session will use a new MAC address to send packets to the peer even without gratuitous ARP received. Old session will not be affected.
in 5.4.0r1 ★ Multicast-route handling (NSCos65082). Previous behavior: In IGMP proxy, when an admin clears multicast-route (mroute) by CLI (clear vr vr-name mroute), it can’t rebuild the mroute even when the new igmp report packet arrived. New behavior: Every time the system receives a new IGMP report, the system will update the mroute created by the IGMP proxy. If the admin deletes the mroute by CLI, the system can rebuild it when it receives the next IGMP report packet.
in 5.4.0r1 ★ Multilink Bundle interface configuration (NSCos67022) No longer allow adding an ADSL interface into a multilink bundle interface with MLFR encapsulation
in 5.4.0r1 ★ Root/vsys profile configuration (NSCos66696) Previously, the RootProfile can be bound to a nonRoot vsys, while a non-RootProfile can be bound to Root. Now the RootProfile can only be bound to Root vsys while non-RootProfile can only be bound to nonRoot vsys. Previously, get config always has "set vsys-profile RootProfile xxx" even if the value is the same as the default value; now this line will be shown only when the value is changed, i.e., it is different from the default value.
in 5.4.0r1 ★ Saved log information handling (NSCos62846) "Clear log sys saved" was not clearing the saved information on the SSG5 and SSG20 devices in previous versions. The function is now implemented on these devices in 5.4 R3.
in 5.4.0r1 ★ WAN interface configuration (NSCos66426) In "set/unset interface serialx/0 phy link-down" CLI, link-down option is disabled for wan interfaces Copyright
0 件のコメント:
コメントを投稿