junos release notes for junos os release 12.1x47-d45 for … · 2016. 11. 11. · title: junos...
TRANSCRIPT
JunosReleaseNotes for JunosOSRelease
12.1X47-D45 for Firefly Perimeter
Release 12.1X47-D4511 November 2016Revision 1
The Firefly Suite is designed to address the need for compelling and robust security for
diverse virtualized environments by bringing together three products–Firefly Perimeter,
Firefly Host, and Junos Space Virtual Director. These release notes accompany Junos OS
Release 12.1X47-D45 for Firefly Perimeter. They describe supported features and known
issues with Firefly Perimeter.
For the latest, most complete information about outstanding and resolved issues with
Firefly Perimeter, see the Juniper Networks online software defect search application at
http://www.juniper.net/prsearch.
You can also find these release notes on the Firefly Perimeter Documentation webpage,
which is located at https://www.juniper.net/techpubs/firefly-perimeter.
Contents Release Notes for Firefly Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Upgrading from Prior Releases of Firefly Perimeter . . . . . . . . . . . . . . . . . . . . . . 3
Upgrade Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Optional Instructions for Validating Security Signatures . . . . . . . . . . . . . . . . . . 5
Validating the Firefly Perimeter OVA Image . . . . . . . . . . . . . . . . . . . . . . . . 6
Validating the Firefly Perimeter JVA Image Using Linux Commands . . . . . 8
Supported Features for Junos OS Release 12.1X47-D45 for Firefly
Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Firefly Perimeter Evaluation License Installation Process . . . . . . . . . . . . . 13
Firefly Perimeter License Installation Process . . . . . . . . . . . . . . . . . . . . . . 14
Updating Firefly Perimeter Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Firefly Perimeter Feature License Models . . . . . . . . . . . . . . . . . . . . . . . . . 16
Features Supported on Firefly Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Changes in Default Behavior and Syntax in Release 12.1X47-D45 for Firefly
Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Outstanding Issues in Junos OS Release 12.1X47-D45 for Firefly
Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
1Copyright © 2016, Juniper Networks, Inc.
Outstanding Issues in Junos OS Release 12.1X47-D40 for Firefly
Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Outstanding Issues in Junos OS Release 12.1X47-D35 for Firefly
Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Outstanding Issues in Junos OS Release 12.1X47-D30 for Firefly
Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Outstanding Issues in Junos OS Release 12.1X47-D25 for Firefly
Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Outstanding Issues in Junos OS Release 12.1X47-D20 for Firefly
Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Outstanding Issues in Junos OS Release 12.1X47-D15 for Firefly
Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Outstanding Issues in Junos OS Release 12.1X47-D10 for Firefly
Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Resolved Issues in Junos OS Release 12.1X47-D45 for Firefly Perimeter . . . . . 45
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Resolved Issues in Junos OS Release 12.1X47-D40 for Firefly Perimeter . . . . 45
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Resolved Issues in Junos OS Release 12.1X47-D35 for Firefly Perimeter . . . . . 45
Resolved Issues in Junos OS Release 12.1X47-D30 for Firefly Perimeter . . . . . 45
Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Resolved Issues in Junos OS Release 12.1X47-D25 for Firefly Perimeter . . . . . 45
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Resolved Issues in Junos OS Release 12.1X47-D20 for Firefly Perimeter . . . . 46
IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Resolved Issues in Junos OS Release 12.1X47-D15 for Firefly Perimeter . . . . . 46
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Resolved Issues in Junos OS Release 12.1X47-D10 for Firefly Perimeter . . . . . 47
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Junos OS Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Copyright © 2016, Juniper Networks, Inc.2
Release Notes for Firefly Perimeter
Release Notes for Firefly Perimeter
Firefly Perimeter is a virtual security appliance that provides security and networking
services at the perimeter in virtualized private or public cloud environments. It runs as a
virtualmachine (VM)onastandardx86serverandenablesadvancedsecurityand routing
at the network edge in a multitenant virtualized environment.
FireflyPerimeter is built on JunosOSanddelivers security andnetworking features similar
to those available on branch SRX Series devices.
These release notes include:
• Upgrading from Prior Releases of Firefly Perimeter on page 3
• Upgrade Instructions on page 4
• Optional Instructions for Validating Security Signatures on page 5
• Supported Features for Junos OS Release 12.1X47-D45 for Firefly Perimeter on page 10
• Features Supported on Firefly Perimeter on page 17
• Changes in Default Behavior and Syntax in Release 12.1X47-D45 for Firefly
Perimeter on page 42
• Known Behavior on page 42
• Outstanding Issues in Junos OS Release 12.1X47-D45 for Firefly Perimeter on page 43
• Outstanding Issues in Junos OS Release 12.1X47-D40 for Firefly Perimeter on page 43
• Outstanding Issues in Junos OS Release 12.1X47-D35 for Firefly Perimeter on page 43
• Outstanding Issues in Junos OS Release 12.1X47-D30 for Firefly Perimeter on page 43
• Outstanding Issues in Junos OS Release 12.1X47-D25 for Firefly Perimeter on page 43
• Outstanding Issues in Junos OS Release 12.1X47-D20 for Firefly Perimeter on page 43
• Outstanding Issues in Junos OS Release 12.1X47-D15 for Firefly Perimeter on page 44
• Outstanding Issues in Junos OS Release 12.1X47-D10 for Firefly Perimeter on page 44
• Resolved Issues in Junos OS Release 12.1X47-D45 for Firefly Perimeter on page 45
• Resolved Issues in Junos OS Release 12.1X47-D40 for Firefly Perimeter on page 45
• Resolved Issues in Junos OS Release 12.1X47-D35 for Firefly Perimeter on page 45
• Resolved Issues in Junos OS Release 12.1X47-D30 for Firefly Perimeter on page 45
• Resolved Issues in Junos OS Release 12.1X47-D25 for Firefly Perimeter on page 45
• Resolved Issues in Junos OS Release 12.1X47-D20 for Firefly Perimeter on page 46
• Resolved Issues in Junos OS Release 12.1X47-D15 for Firefly Perimeter on page 46
• Resolved Issues in Junos OS Release 12.1X47-D10 for Firefly Perimeter on page 47
Upgrading fromPrior Releases of Firefly Perimeter
You can upgrade to Junos OS Release 12.1X47–D45 for Firefly Perimeter from Junos OS
Release 12.1X47-D10 for Firefly Perimeter using the CLI, J-Web, or Junos Space Network
Management Platform.
3Copyright © 2016, Juniper Networks, Inc.
Release Notes for Firefly Perimeter
Upgrade Instructions
To upgrade from a previous Junos OS release for Firefly Perimeter to Junos OS Release
12.1X47-D45 for Firefly Perimeter using the CLI:
1. Ensure that Junos OS Release 12.1X47-D10 for Firefly Perimeter is deployed with the
Junos OS for Firefly Perimeter Release 12.1X47-D10 .ova and .jva files.
root@FFP—X47> show versionHostnane: FFP—X47Model: firefly—perimeterJUNOS Software Release [12.1X47—D10.4]root@FFP—X47>
2. Download the Junos OS for Firefly Perimeter Release 12.1X47-D45 .tgz file from the
Juniper website.
3. Upload the Junos OS for Firefly Perimeter Release 12.1X47-D45 .tgz file to your local
file system, for example, to the /var/tmp partition.
root@FFP—X47> file list /var/tmp/var/tmp@ -> /cf/var/tmproot@FFP—X47> file list /cf/var/tmp/cf/var/tmp/cleanup—pkgs.logeedebug_bin_filegksdchk.loggres—tp/install/junos-vsrx-12.1X47-D45.4-domestic.tgzkmachk.logkrt_gencfg_filter.txtpics/policy_statusrtsdb/spu_kmd_initvi.recover/vpn_tunnel_orig.idroot@FFP-X47>
4. Execute thecommand requestsystemsoftwareadd/var/tmp/[name_of_tgz_package]
no-validate reboot to install thenewJunosOSfor FireflyPerimeterRelease 12.1X47-D45
.tgz image file.
root@FFP-X47> ...vsrx-12.1X47-D45.4-domestic.tgz no—validate rebootInstalling package ’/var/tmp/junos—vsrx—12.1X47-D45.4-domestic.tgz’ ...Verified junos—boot—vsrx—12.1X47-D45.4.tgz signed by PackageProduction_12_1_0Verified junos-vsrx—12.1X47-D45.4—domestic signed by PackageProduction_12_1_0Available space: 849286 require: 4714Saving boot file package in /var/sw/pkg/junos—boot—vsrx—12.1X47-D45.4.tgzJUNOS 12.1X47-D45.4 will become active at next rebootSaving package file in /var/sw/pkg/junos—12.1X47-D45.4.tgz ...Saving state for rollback ...Rebooting ...shutdown: [pid 2535]Shutdown NOW!
*** FINAL System shutdown Message from root@FFP—X47 ***System going down IMMEDIATELY
Copyright © 2016, Juniper Networks, Inc.4
Release Notes for Firefly Perimeter
root@FFP—X47>
You can use either the FTP or the HTTP protocol to upgrade packages on Firefly
Perimeter from a remote server.
• FTP
ftp://hostname/pathname/package-name
• HTTP
http://hostname/pathname/package-name
For more information, see Installing Junos OS Upgrades from a Remote Server on the
SRX Series Devices.
5. Reboot the system to complete the upgrade process.
6. You have successfully updated to JunosOS for Firefly Perimeter Release 12.1X47-D45.
Now log in and verify using the show version command.
FP—X47 (ttyv0)
login: rootpassword:—— JUNOS 12.1X47-D45.4 built 2015-05-14 23:57:11 UTCroot@FFP—X47%root@FFP—X47%root@FFP—X47% cliroot@FFP—X47>
root@FFP—X47> show versionHostname: FFP-X47Model: firefly-perimeterJUNOS Software Release [12.1X47-D45.4]root@FFP—X47>
You can upgrade from a previous release of Firefly Perimeter to Junos OS for Firefly
Perimeter Release 12.1X47-D45 using J-Web. For more information, see Installing Junos
OS Upgrade Packages on SRX Devices from a Remote Server.
You can upgrade from a previous release of Firefly Perimeter to Junos OS for Firefly
Perimeter Release 12.1X47-D45 using Junos Space Network Management Platform. For
more information, see Installing and Upgrading Junos Space Software Overview.
Optional Instructions for Validating Security Signatures
This section includes instructions for validating security signatures.
CAUTION: During the Firefly Perimeter installation or upgrade process, donot modify the filename of the software image that you download from the
5Copyright © 2016, Juniper Networks, Inc.
Optional Instructions for Validating Security Signatures
JuniperNetworkssupport site. If youmodify the filename, then the installationor upgrade will fail.
• Validating the Firefly Perimeter OVA Image
• Validating the Firefly Perimeter JVA Image Using Linux Commands
Validating the Firefly Perimeter OVA Image
Starting with Junos OS for Firefly Perimeter Release 12.1X47-D10, the Firefly Perimeter
Open Virtualization Format Archive (OVA) image is securely signed. You can validate the
OVA image, if necessary. However, you can install or upgrade Firefly Perimeter without
validating theOVA image.Before youvalidate theOVA image, ensure that theLinux/UNIX
PC on which you are performing the validation has the following utilities available: tar,
openssl, and ovftool. You can download the VMware Open Virtualization Format (OVF)
tool from the following location: https://my.vmware.com/web/vmware/details?
productId=353&downloadGroup=OVFTOOL351
To validate the OVA image:
1. Download the Firefly Perimeter OVA image and the Juniper Networks root certificate
file (JuniperRootRSACA.pem) from the Firefly Perimeter downloads page at
https://www.juniper.net/support/downloads/?p=firefly#sw.
NOTE: You need to download the Juniper Networks root certificate fileonly once; you can use the same file to validate OVA images for futurereleases of Firefly Perimeter.
2. (Optional) If you downloaded the OVA image and the certificate file to a PC that is
runningWindows, copy the two files to a temporary directory on a PC that is running
Linux or UNIX. You can also copy theOVA image and the certificate file to a temporary
directory (/var/tmp or /tmp) on a Firefly Perimeter node.
Ensure that the OVA image file and the Juniper Networks root certificate file are not
modified during the validation procedure. You can do this by assigning write access
to these files only to the user performing the validation procedure. This is especially
important if you use an accessible temporary directory, such as /tmp or /var/tmp,
becausesuchdirectories canbeaccessedbyseveral users. Takeprecautions toensure
that the files are not modified by other users during the validation procedure.
3. Navigate to the directory that contains the OVA image.
4. Unpack the OVA image by running the following command:
tar xf ova-filename
where ova-filename is the filename of the previously downloaded OVA image.
5. Verify that the unpacked OVA image contains a certificate chain file (certchain.pem)
and a signature file (vsrx.cert).
Copyright © 2016, Juniper Networks, Inc.6
Release Notes for Firefly Perimeter
6. Validate thesignature in theunpackedOVF file (extension .ovf)by running the following
command:
ovftool ova-filename
where ovf-filename is the filename of the unpacked OVF file that is contained within
the previously downloaded OVA image.
7. After theunpackedOVF file is validated, validate the signing certificatewith the Juniper
Networks root CA file by running the following command
openssl verify -CAfile JuniperRootRSACA.pem -untrusted Certificate-Chain-FileSignature-file
where JuniperRootRSACA.pem is the JuniperNetworks rootCAfile,Certificate-Chain-File
is the filename of the unpacked certificate chain file (extension .pem), and
Signature-file is the filename of the unpacked signature file (extension .cert).
If the validation is successful, a message indicating that the validation is successful
is displayed.
A sample of the validation procedure is as follows:
-bash-4.1$ lsJuniperRootCA.pem junos-vsrx-12.1X47-D10.4-domestic.ova-bash-4.1$ mkdir tmp-bash-4.1$ cd tmp-bash-4.1$ tar xf ../junos-vsrx-12.1X47-D10.4-domestic.ova-bash-4.1$ lscertchain.pem junos-vsrx-12.1X47-D10.4-domestic.cert junos-vsrx-12.1X47-D10.4-domestic-disk1.vmdk junos-vsrx-12.1X47-D10.4-domestic.mf junos-vsrx-12.1X47-D10.4-domestic.ovf-bash-4.1$ /usr/lib/vmware-ovftool/ovftool junos-vsrx-12.1X47-D10.4-domestic.ovfOVF version: 1.0VirtualApp: falseName: Firefly PerimeterVersion: JUNOS 12.1Vendor: Juniper Networks Inc.Product URL:
http://www.juniper.net/us/en/products-services/software/security/vsrxseries/Vendor URL: http://www.juniper.net/Download Size: 227.29 MB
Deployment Sizes: Flat disks: 2.00 GB Sparse disks: 265.25 MB
Networks: Name: VM Network Description: The VM Network network
Virtual Machines: Name: Juniper Virtual SRX Operating System: freebsdguest Virtual Hardware: Families: vmx-07 Number of CPUs: 2
7Copyright © 2016, Juniper Networks, Inc.
Optional Instructions for Validating Security Signatures
Cores per socket: 1 Memory: 2.00 GB
Disks: Index: 0 Instance ID: 5 Capacity: 2.00 GB Disk Types: IDE
NICs: Adapter Type: E1000 Connection: VM Network
Adapter Type: E1000 Connection: VM Network
Deployment Options: Id: 2GvRAM Label: 2G vRAM Description: 2G Memory
-bash-4.1$ openssl verify -CAfile ../JuniperRootCA.pem -untrusted certchain.pem junos-vsrx-12.1X47-D10.2-domestic.certjunos-vsrx-12.1X47-D10.2-domestic.cert: OK
8. (Optional) If the validation is not successful, perform the following tasks:
a. Determine if the contents of the OVA image have beenmodified. If the contents
havebeenmodified, download theOVA image fromtheFireflyPerimeterdownloads
page.
b. Determine if the Juniper Networks root CA file is corrupted or modified. If it was
corrupted or modified, download the certificate file from the Firefly Perimeter
downloads page.
c. Retry the preceding validation steps using one or both new files.
Validating the Firefly Perimeter JVA Image Using Linux Commands
The Firefly Perimeter.jva format includes an embedded digital signature that can be
validated to ensure authenticity of the content. In order to do so, along with the .jva file,
youwill need a copy of the Juniper Networks root certificate. Once you have downloaded
both files, you will need to run a set of commands to extract the contents within the .jva
file, authenticate the embedded signature with the signing certificate, and authenticate
the signing certificate with the Juniper Networks root certificate.
Once you have the .jva file and Juniper Networks root certificate file in the samedirectory,
use the following commands:
1. bash junos-vsrx-12.1X47-D10.4-domestic.jva -x (Press 'y' to accept the EULA.)
2. ls (This command shows the newly created directory that contains the .jva contents.)
3. cd (This commandopens the newly createddirectory that contains the .jva contents.)
Copyright © 2016, Juniper Networks, Inc.8
Release Notes for Firefly Perimeter
4. openssl x509 -pubkey -noout -in vsrx.cert > public.pem (This command extracts the
public key from the signing certificate.)
5. head -1 vsrx.cert | awk '{print $2}' | xxd -p -r> signature.binary (This command converts
the hex-encoded signature to binary format.)
6. openssldgst-sha1-verifypublic.pem-signaturesignature.binaryvsrx.sig (Thiscommand
validates the signature with the signing certifcate. A successful validation returns the
message “Verified OK”.)
7. openssl verify -CAfile ../JuniperRootCA.pem -untrusted certchain.pem vsrx.cer (This
command validates the signing certificate with the Juniper Networks root certificate.
A successful validation returns the message “vsrx.cert: OK”.)
A sample of the JVA signature validation procedure using Linux commands is as follows:
-bash-4.1$ lsJuniperRootCA.pem junos-vsrx-12.1X47-D10.4-domestic.jva-bash-4.1$ bash junos-vsrx-12.1X47-D10.4-domestic.jva -xAccept?[y/n]yExtracting ...Image dumped: junos-vsrx-12.1X47-D10.4-domestic/junos-vsrx-12.1X47-D10.4-domestic.img-rw-r--r-- 1 dkan nscn 278659072 Aug 15 10:05 junos-vsrx-12.1X47-D10.4-domestic/junos-vsrx-12.1X47-D10.4-domestic.img-bash-4.1$ lsJuniperRootCA.pem junos-vsrx-12.1X47-D10.4-domestic junos-vsrx-12.1X47-D10.4-domestic.jva-bash-4.1$ cd junos-vsrx-12.1X47-D10.4-domestic-bash-4.1$ lscertchain.pem junos-vsrx-12.1X47-D10.4-domestic.img vsrx.cert vsrx.sig vsrx.xml-bash-4.1$ openssl verify -CAfile ../JuniperRootCA.pem -untrusted certchain.pem vsrx.certvsrx.cert: OK-bash-4.1$ openssl x509 -pubkey -noout -in vsrx.cert > public.pem-bash-4.1$ head -1 vsrx.cert | awk '{print $2}' | xxd -p -r > signature.binary-bash-4.1$ openssl dgst -sha1 -verify public.pem -signature signature.binary vsrx.sigVerified OK
9Copyright © 2016, Juniper Networks, Inc.
Optional Instructions for Validating Security Signatures
Supported Features for Junos OS Release 12.1X47-D45 for Firefly Perimeter
Table 1 on page 10 lists the main features that are supported on Junos OS Release
12.1X47-D45 for Firefly Perimeter.
Table 1: Features Supported on Firefly Perimeter
Firefly Perimeter PlatformDescriptionFeature
VMware and KVMConsolidation of several securityfeatures into one device,protecting againstmultiple threattypes.For more information:http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-utm-index.html
Unified ThreatManagement (UTM)
VMware and KVMDetects and prevents attacks innetwork traffic.For more information:http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-idp-index.html
IntrusionDetection andPrevention (IDP)
VMware and KVMFilters packets that traverse thedevice without modifying any ofthe source or destinationinformation in the IP packetheaders.For more information:http://www.junos.com/techpubs/en_US/junos12.1x45/topics/concept/security-layer2-bridging-transparent-mode-overview.html
Transparent mode
VMware and KVMProvides security to IP flowsthrough the use of authenticationand encryption.For more information:http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-vpn-ipsec.html
IPsec VPN
Copyright © 2016, Juniper Networks, Inc.10
Release Notes for Firefly Perimeter
Table 1: Features Supported on Firefly Perimeter (continued)
Firefly Perimeter PlatformDescriptionFeature
KVMKVM hypervisor environmentsupports chassis cluster using theVirtIO driver and interfaces.For more information:http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-chassis-cluster.html
Chassis cluster supportfor VirtIO driver
VMware and KVMSupports transparent mode onchassis cluster.For more information:http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-chassis-cluster.html
Transparent modechassis cluster support
VMwareVMware vSphere5.5 supported inaddition to VMware vSphere 5.0and 5.1.
VMware vSphere 5.5support
VMware and KVMIdentifiesattackersanddealswithabuse without NAT logging foreach connection or port block.For more information:http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-nat.html#overview
Deterministic NAT
VMware and KVMAllocates ports to subscribers inblocks and generates logs duringblock allocation or release.For more information:http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-nat.html#overview
Port Block Allocation(PBA) NAT
11Copyright © 2016, Juniper Networks, Inc.
Supported Features for Junos OS Release 12.1X47-D45 for Firefly Perimeter
Table 1: Features Supported on Firefly Perimeter (continued)
Firefly Perimeter PlatformDescriptionFeature
VMware and KVMStarting in Junos OS for FireflyPerimeter Release 12.1X47-D20,AppID is supported. This featureidentifies applications as parts ofapplication clusters inTCP/UDP/ICMP traffic. AppIDstrengthens the firewall atdifferent network layers usingdifferent techniques rather thanport numbers and IP addresses.Application signatures aremodified to provide security atapplication levels. For moreinformation:http://www.juniper.net/techpubs/en_US/junos12.1x47/information-products/pathway-pages/security/security-application-identification.html
ApplicationIdentification (AppID)
VMware and KVMStarting in Junos OS for FireflyPerimeter Release 12.1X47-D20,AppQoS is supported. AppQoS isa part of the AppSecure suite ofcomponents. This featureexpands thecapabilityofAppQoSto includemarkingDiffServe codepoint (DSCP) values based onLayer 7 application. Rate-limiter,DSCP rewrite, set loss priority,priority, and queue traffic are thetechniques used by AppQoS. Formore information:http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/security-application-qos-understanding.html
Application Quality ofService (AppQoS)
VMware and KVMStarting in Junos OS for FireflyPerimeter Release 12.1X47-D20,AppFirewall is supported. Formore information:http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/application-firewall-overview.html
Application Firewall(AppFW)
VMware and KVMStarting in Firefly Perimeter12.1X47-D20, DHCP is supported.DHCP is based on BOOTP, abootstrap protocol that allows aclient to discover its own IPaddress, the IPaddressofa serverhost, and thenameofabootstrapfile.
Dynamic HostConfiguration Protocol(DHCP)
Copyright © 2016, Juniper Networks, Inc.12
Release Notes for Firefly Perimeter
Licensing
Starting with Junos OS Release 12.1X47-D20 for Firefly Perimeter, licenses are required
for advanced security features such as UTM, IPS, and AppSecure.
Licenses are usually ordered when the software application is purchased, and this
information isbound toacustomer ID. If youdidnotorder the licenseswhenyoupurchased
your software application, contact your account team or Juniper Networks Customer
Care for assistance. Licenses can be procured from the Juniper Networks License
ManagementSystem(LMS). To continueusing Firefly Perimeter features after anoptional
30-dayevaluationperiod (seeFireflyPerimeterEvaluationLicense InstallationProcesson page 13), youmust purchase and install the license on the device. Otherwise, thefeatures are disabled.
Table 2 on page 13 lists the Firefly Perimeter license information.
Table 2: Firefly Perimeter License Information
DescriptionLicense Details
1-, 3-, and 5-year standalone and bundle SKUs.License Type
License authorization code issued with purchase. The keyis obtained with the authorization code.
License Key
License key is valid for multiple instances and contains acustomer ID.
License Key Validity
Same as purchased license.License Key Duration
Activated with license key.License Key Activation
Enforced with license key.License Enforcement
NOTE: If you are performing a software downgrade with licenses installed,youwill seeanerrormessage in theCLIwhenyou try toconfigure the licensedfeatures or run the command show system license status.
We recommend that you delete the existing licenses before performing asoftware downgrade.
Firefly Perimeter Evaluation License Installation Process
Juniper Networks provides a 30-day evaluation license for Firefly Perimeter advanced
security features. You candownload the evaluation license from theEvaluationDownload
link. Installation of the evaluation license is similar to the regular license installation using
the CLI. See Firefly Perimeter License Installation Process on page 14.
13Copyright © 2016, Juniper Networks, Inc.
Supported Features for Junos OS Release 12.1X47-D45 for Firefly Perimeter
NOTE: The 30-day evaluation license period begins from the day you enablethe enhanced security features after installing the evaluation licenses.
Firefly Perimeter License Installation Process
You can install Firefly Perimeter licenses using the following options:
• J-Web interface
• Junos OS CLI
To install a license from the J-Web interface:
1. SelectMaintain>Licenses on the J-Web user interface. The Licenses window is
displayed as shown in Figure 1 on page 14.
Figure 1: LicensesWindow
2. Click Add. The Add License window is displayed as shown in Figure 2 on page 14.
3. Enter the full URL to the destination file containing the license key in the License File
URL box or paste the license key text, in plain-text format, in the License Key Text
box.
Figure 2: Add LicenseWindow
4. ClickOK to add the license key. The License Details window is displayed as shown in
Figure 3 on page 15.
Copyright © 2016, Juniper Networks, Inc.14
Release Notes for Firefly Perimeter
Figure 3: License DetailsWindow
5. The license key is installed and activated on Firefly Perimeter.
To install a license from the CLI:
1. View the details of the license by entering the show system license command.
2. Install the license by entering the request system license add terminal command.
3. Enter the license key and press CTRL+D to end your input.
root@host>root@host> show system license
License usage: Licenses Licenses Licenses Expiry Feature name used installed neededwf key websense ewf 1 0 1 invalid
Licenses installed: none
root@host> request system license add terminal [Type ^D at a new line to end input, enter blank line between each license key]
E413012057 aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff aaaaaa aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff
E413012057: successfully added add license complete (no errors)
root@host> show system license
License usage: Licenses Licenses Licenses Expiry Feature name used installed neededwf key websense ewf 1 1 0 2015-12-31 08:00:00 CST
Licenses installed: License identifier: E413012057 License version: 4 Software Serial Number: FFPVSRXESXCN Customer ID: TEST-USER-SYSTEM Features: wf_key websense_ewf - Web Filtering EWF date-based, 2014-11-01 08:00:00 CST - 2015-12-31 08:00:00 CST
15Copyright © 2016, Juniper Networks, Inc.
Supported Features for Junos OS Release 12.1X47-D45 for Firefly Perimeter
NOTE: You can save the license key to a file and upload this file to theFirefly Perimeter file system through FTP or Secure Copy Protocol (SCP).Install the license, and thenuse the showsystemlicensecommand toview
the updated license information.
4. The license key is installed and activated on Firefly Perimeter.
Updating Firefly Perimeter Licenses
You can update the Firefly Perimeter licenses using the following twomethods.
• Automatic license update using the CLI
• Manual license update using the CLI
To enable automatic license updates from the CLI:
1. Obtain a valid license.
2. Configure a valid update server at https://ae1.juniper.net.
3. Contact your account team or Juniper Networks Customer Care for assistance.
4. Use the following configuration to enable automatic license updates.
root@host>
system { license { autoupdate { url https://url.of.license.server; } renew before-expiration 30 interval 6; }}
The configuration allowsFirefly Perimeter to contact the license server 30daysbefore
the current license expires and sends an automatic update request every 6 hours.
Tomanually update the license from the CLI:
1. Update the license by entering the request system license update url
https://url.of.license.server command.
2. Check the status of the license by entering the show system license command.
This command sends a license update request to the license server immediately.
Firefly Perimeter Feature LicenseModels
For informationabouthowtopurchaseasoftware license, contact your JuniperNetworks
sales representative at http://www.juniper.net/in/en/contact-us/.
Copyright © 2016, Juniper Networks, Inc.16
Release Notes for Firefly Perimeter
The same license key can be installed onmultiple devices as long as it is not installed on
more devices than the licensewas purchased for. Table 3 on page 17 describes the Firefly
Perimeter features that require licenses.
Table 3: Firefly Perimeter Feature Licenses
Feature
Application Signature Update (Application Identification)
IDP Signature Update
Juniper-Sophos Antivirus
Juniper-Sophos Antispam
Juniper-Websense EnhancedWeb Filter
Each license allows you to run the specified advanced software features on Firefly
Perimeter.
Features Supported on Firefly Perimeter
Firefly Perimeter inherits many features from the SRX Series product line. However,
becausesomeSRXSeries featuresarenotdirectly applicable inavirtualizedenvironment,
they have been excluded from the Firefly Perimeter product line. Table 4 on page 17
describes the available features on Firefly Perimeter as of JunosOSRelease 12.1X47-D45.
For feature roadmap details, contact your Juniper Networks representative.
Table 4: Features Supported on Firefly Perimeter
SupportonFireflyPerimeterFeature
Address Books and Address Sets:
YesAddress books
YesAddress sets
YesGlobal address objects or sets
YesNested address groups
Administrator Authentication:
YesLocal authentication
YesRADIUS
YesTACACS+
Alarms:
YesChassis alarms
17Copyright © 2016, Juniper Networks, Inc.
Features Supported on Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
YesInterface alarms
YesSystem alarms
Application Layer Gateways:
YesDNS ALG
YesDNS doctoring support
YesDNS, FTP, RTSP, and TFTP ALGs (Layer 2) with chassisclustering
YesDSCPmarking for SIP, H.323, MGCP, and SCCP ALGs
YesFTP
YesH.323
NoAvaya H.323
YesIKE
YesMGCP
YesPPTP
YesRSH
YesRTSP
YesSCCP
YesSIP
YesSIP ALG–NEC
YesSQL
YesMS RPC
YesSUN RPC
YesTALK
YesTFTP
Attack Detection and Prevention:
Copyright © 2016, Juniper Networks, Inc.18
Release Notes for Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
YesBad IP option
YesBlock fragment traffic
YesFIN flag without ACK flag set protection
YesICMP flood protection
YesICMP fragment protection
YesIP address spoof
YesIP address sweep
YesIP record route option
YesIP security option
YesIP stream option
YesIP strict source route option
YesIP timestamp option
YesLand attack protection
YesLarge size ICMP packet protection
YesLoose source route option
YesPing of death attack protection
YesPort scan
YesSource IP-based session limit
YesSYN-ACK-ACK proxy protection
YesSYN and FIN flags set protection
YesSYN flood protection
YesSYN fragment protection
YesTCP address sweep
YesTCP packet without flag set protection
19Copyright © 2016, Juniper Networks, Inc.
Features Supported on Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
YesTeardrop attack protection
YesUDP address sweep
YesUDP flood protection
YesUnknown IP protocol protection
YesWhitelist for SYN flood screens
YesWinNuke attack protection
Authentication with IC Series Devices:
YesCaptive Portal
YesJunos OS Layer 3 enforcement in UAC deployments
NoJunos OS Layer 2 enforcement in UAC deployments
NOTE: UAC-IPS and UAC-UTM are also not supported.
Autoinstallation:
YesAutoinstallation
Class of Service:
YesClassifiers
YesCode-point aliases
YesEgress interface shaping
YesForwarding classes
NoHigh-priority queue on Services Processing Card
YesIngress interface policer
YesSchedulers
YesSimple filters
YesTransmission queues
YesTunnels
NOTE: GRE and IP-IP tunnels only.
Copyright © 2016, Juniper Networks, Inc.20
Release Notes for Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
YesVirtual channels
Diagnostics Tools:
YesCLI terminal
YesFlowmonitoring cflowd version 5 and flowmonitoring cflowdversion 8
NoFlowmonitoring cflowd version 9
YesPing host
YesPing MPLS
NoPing Ethernet (CFM)
YesTraceroute
NoTraceroute Ethernet (CFM)
DNS Proxy:
YesDNS proxy cache
YesDNS proxy with split DNS
NoDynamic DNS
Dynamic Host Configuration Protocol:
YesDHCPv6 client
YesDHCPv4 client
YesDHCPv6 relay agent
YesDHCPv4 relay agent
YesDHCPv6 server
YesDHCPv4 server
YesDHCP server address pools
YesDHCP server static mapping
Ethernet Link Aggregation:
Routingmode:
21Copyright © 2016, Juniper Networks, Inc.
Features Supported on Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
NoLACP in chassis cluster pair
NoLACP in standalone device
NoLayer 3 LAG on routed ports
NoStatic LAG in chassis cluster mode
NoStatic LAG in standalonemode
Ethernet Link Fault Management:
Interfaces supported:
NoLACP in chassis cluster pair
NoLACP in standalonemode
NoStatic LAG in chassis cluster mode
NoStatic LAG in standalonemode
Physical interface (encapsulations):
Noethernet-ccc
Noextended-vlan-ccc
Noethernet-tcc
Noextended-vlan-tcc
Interface family:
Noccc
Noethernet-switching
Yesinet
Yesinet6
Yesiso
Yesmpls
Notcc
Copyright © 2016, Juniper Networks, Inc.22
Release Notes for Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
Aggregated Ethernet interface:
NoLACP enabled LAG
NoStatic LAG
Interface family:
Noethernet-switching
Yesinet
Yesinet6
Yesiso
Yesmpls
File Management:
YesArchive files
YesCalculate checksum
YesCompare files
YesClean up unnecessary files
YesDelete backup software image
YesDelete individual files
YesDownload system files
YesEncrypt/decrypt configuration files
YesManage account files
YesMonitor start
YesRename files
YesRescue
YesSystem zeroize
Firewall Authentication:
23Copyright © 2016, Juniper Networks, Inc.
Features Supported on Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
YesFirewall authentication on Layer 2 transparent authentication
YesLDAP authentication server
YesLocal authentication server
YesPass-through authentication
YesRADIUS authentication server
YesSecurID authentication server
YesWeb authentication
Flow-Based and Packet-Based Processing:
YesAlarms and auditing
NoEnd-to-end packet debugging
YesFlow-based processing
NoNetwork processor bundling
YesPacket-based processing
YesSelective stateless packet-based services
Interfaces:
Physical and Virtual Interface:
YesEthernet interface
YesGigabit Ethernet interface
Services:
NoAggregated Ethernet interface
YesGRE interface
NoIEEE 802.1X dynamic VLAN assignment
NoIEEE 802.1X MAC bypass
NoIEEE 802.1X port-based authentication control withmultisupplicant support
Copyright © 2016, Juniper Networks, Inc.24
Release Notes for Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
NoInterleaving using MLFR
NoInternally configured interface used by the system as a controlpath between theWXC Integrated Services Module and theRouting Engine
YesInternally generated GRE interface (gr-0/0/0)
YesInternally generated IP-over-IP interface (ip-0/0/0)
YesInternally generated link services interface
YesInternally generated PIM de-encapsulation interface
YesInternally generated PIM encapsulation interface
YesLink fragmentation and interleaving interface
YesLink services interface
YesLoopback interface
YesManagement interface
NoPPP interface
NoPPPoE-based radio-to-router protocol
NoPPPoE interface
YesPromiscuous mode on interfaces
NOTE: Promiscuous mode needs to be enabled on hypervisor.
YesSecure tunnel interface
IP Monitoring:
YesIP monitoring with route failover (for standalone devices andredundant Ethernet interfaces)
YesIP monitoring with interface failover (for standalone devices)
NoTrack IP enhancements (IP monitoring using RPM)
IP Security:
NoAcadia - Clientless VPN
25Copyright © 2016, Juniper Networks, Inc.
Features Supported on Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
YesAlarms and auditing
YesAntireplay (packet replay attack prevention)
YesAuthentication
YesAuthentication Header (AH)
YesAutokey management
YesAutomated certificate enrollment using SCEP
YesAutomatic generation of self-signed certificates
YesBridge domain and transparent mode
YesCertificate - Configure local certificate sent to peer
YesCertificate - Configure requested CA of peer certificate
YesCertificate - Encoding: PKCS7, X509, PEM, DERs
YesCertificate - RSA signature
YesChassis clusters (active/backup and active/active)
NOTE: VMware platform only.
YesCoS
YesCRL update at user-specified interval
YesConfig mode (draft-dukes-ike-mode-cfg-03)
YesDead peer detection (DPD)
YesDiffie-Hellman (PFS) Group 1
YesDiffie-Hellman (PFS) Group 2
YesDiffie-Hellman (PFS) Group 5
YesDiffie-Hellman Group 1
YesDiffie-Hellman Group 2
YesDiffie-Hellman Group 5
Copyright © 2016, Juniper Networks, Inc.26
Release Notes for Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
YesDigital signature generation
YesDynamic IP address
NoDynamic IPsec VPNs
YesEncapsulating Security Payload (ESP) protocol
YesEncryption algorithm 3DES
YesEncryption algorithm AES 128, 192, and 256
YesEncryption algorithm DES
YesEncryption algorithms NULL (authentication only)
YesEntrust, Microsoft, and Verisign certificate authorities (CAs)
YesExternal Extended Authentication (Xauth) to a RADIUS serverfor remote access connections
NoGroup Encrypted Transport (GET VPN)
NoGroup VPNwith dynamic policies
YesHard lifetime limit
NoHardware IPsec (bulk crypto) Cavium/RMI
YesHash algorithms MD5
YesHash algorithms SHA-1
YesHash algorithms SHA-2 (SHA-256)
YesHub & spoke VPN
YesIdle timers for IKE
YesImprovements in VPN debug capabilities
YesInitial contact
YesInvalid SPI response
YesIKE Diffie-Hellman Group 14 support
27Copyright © 2016, Juniper Networks, Inc.
Features Supported on Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
YesIKE Phase 1
YesIKE Phase 1 lifetime
YesIKE Phase 2
YesIKE Phase 2 lifetime
NoIKE and IPsec predefine proposal sets to work with dynamicVPN client
YesIPsec tunnel termination in routing instances
YesIKE support
YesIKEv1
YesIKEv1 authentication, preshared key
YesIKEv2
YesLocal IP address management support for VPN XAuth
NoLocal IP address management support for DVPN
YesManual installation of DER-encoded and PEM-encoded CRLs
YesManual key management
YesManual proxy-ID (Phase 2 ID) configuration
YesNext-Hop Tunnel Binding (NHTB)
YesNew IPsec Phase 2 authentication algorithm
YesOnline CRL retrieval through LDAP and HTTP
NoPackage dynamic VPN client
YesPolicy-based VPN
YesPreshared key (PSK)
YesPrioritization of IKE packet processing
YesReconnect to dead IKE peer
Copyright © 2016, Juniper Networks, Inc.28
Release Notes for Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
YesRemote access
YesRemote access user IKE peer
YesRemote access user-group IKE peer - group IKE ID
YesRoute-based VPN
YesSHA-2 IPsec support
YesSoft lifetime
YesStatic IP address
YesSuites: standard, compatible, basic, and custom-created
YesSupport for NHTBwhen the st0.x interface is bound to a routinginstance
YesSupport for remote access peers with shared IKE identity +mandatory XAuth
NoSupport group IKE IDs for dynamic VPN configuration
YesTOS/DSCP honoring/coloring (inner/outer)
YesTunnel mode with clear/copy/set Don't Fragment bit
YesUAC Layer 3 enforcement
YesVirtual router support for route-based VPNs
YesVPNmonitoring (proprietary)
YesX.509 encoding for IKE
YesXAuth (draft-beaulieu-ike-xauth-03)
IPv6 Support:
Flow-based forwarding and security features:
YesAdvanced flow
NoDS-Lite concentrator (aka AFTR)
NoDS-Lite initiator (aka B4)
29Copyright © 2016, Juniper Networks, Inc.
Features Supported on Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
YesFirewall filters
YesForwarding option: flowmode
YesMulticast flow
YesScreens
YesSecurity policy (firewall)
YesSecurity policy (IPS)
NoSecurity policy (user role firewall)
YesZones
YesIPv6 ALG support for FTP:
Routing, NAT, NAT-PT support
YesIPv6 ALG support for ICMP:
Routing, NAT, NAT-PT support
YesIPv6 NAT:
NAT-PT, NAT support
YesIPv6 NAT64
YesIPv6-related protocols:
BFD, BGP, ECMPv6, ICMPv6, ND, OSPFv3, RIPng
YesIPv6 ALG support for TFTP
YesSystem services:
DHCPv6, DNS, FTP, HTTP, ping, SNMP, SSH, syslog, Telnet,traceroute
Packet-based forwarding and security features:
YesCoS
YesFirewall filters
YesForwarding option: packet mode
Copyright © 2016, Juniper Networks, Inc.30
Release Notes for Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
Chassis Cluster
Chassis Cluster Support on VMware:
YesActive-active
YesActive-passive
YesALGs
YesChassis cluster formation
YesControl plane failover
YesDampening time between back-to-back redundancy groupfailover
YesData plane failover
NoDual control links
YesDual fabric links
NoIn-band cluster upgrade
YesJunos OS flow-based routing functionality
NoLayer 2 Ethernet switching capacity
NoLayer 2 LAG
NoLayer 3 LAG
NoLACP support for Layer 2
NoLACP support for Layer 3
NoLow-impact cluster upgrade (ISSU Light)
NoLow latency firewall
YesMulticast flow
YesMulticast routing
NoPPPoE over redundant Ethernet interface
YesRedundant Ethernet interfaces
31Copyright © 2016, Juniper Networks, Inc.
Features Supported on Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
NoRedundant Ethernet interface LAGs
YesRedundant Ethernet or aggregate Ethernet interfacemonitoring
YesRedundancy group 0 (backup for Routing Engine)
YesRedundancy group 1 through 128
YesStateful Failover - IPsec VPN (policy based)
YesStateful Failover - IPsec VPN (route based)
YesUpstream device IP address monitoring
YesUpstream device IP address monitoring on a backup interface
Chassis Management
YesChassis management (support on VMware)
Chassis cluster support on KVM:
YesChassis cluster for VirtIO driver
NOTE: ForVirtIO interfaces, link status update is not supported.The link status of VirtIO interfaces is always reported as UP.Therefore the Firefly Perimeter implementation usingVirtIO andchassis cluster cannot receive link up and link downmessagesfrom VirtIO interfaces.
IPv6 IP Security:
Yes4in4 and 6in6 policy-based site-to-site VPN, AutoKey IKEv1
Yes4in4 and 6in6 policy-based site-to-site VPN, manual key
Yes4in4 and 6in6 route-based site-to-site VPN, AutoKey IKEv1
Yes4in4 and 6in6 route-based site-to-site VPN, manual key
Log File Formats:
System (control plane) log file formats:
NoBinary format (binary)
YesStructured syslog (sd-syslog)
YesSyslog (syslog)
Copyright © 2016, Juniper Networks, Inc.32
Release Notes for Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
NoWebTrends Enhanced Log Format (WELF)
Security (data plane) log file formats:
YesBinary format (binary)
YesStructured syslog (sd-syslog)
YesSyslog (syslog)
YesWebTrends enhanced log format (WELF)
MPLS:
NoCCC and TCC
YesCLNS
YesInterprovider and carrier-of-carriers VPNs
Yes
NOTE: Promiscuous modeneeds to be enabled onhypervisor.
Layer 2 VPNs for Ethernet connections
YesLayer 3 MPLS VPNs
YesLDP
YesMPLS VPNs with VRF tables on PE routers
YesMulticast VPNs
YesOSPF and IS-IS traffic engineering extensions
YesP2MP LSPs
YesRSVP
YesSecondary and standby LSPs
YesStandards-based fast reroute
Multicast:
YesFiltering PIM register messages
YesIGMP
33Copyright © 2016, Juniper Networks, Inc.
Features Supported on Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
YesPIM RPF routing table
YesPIM Static RP
YesPrimary routing mode (densemode for LAN and sparse modefor WAN)
YesSDP
YesSession Announcement Protocol (SAP)
Multicast VPN:
YesBasic multicast features in C-instance
YesMulticast VPNmembership discovery with BGP
YesP2MP LSP support
YesP2MPOAM - P2MP LSP ping
YesReliable multicast VPN routing information exchange
Network Address Translation:
YesDestination IP address translation
YesDisabling source NAT port randomization
YesInterface source NAT pool port
YesNAT address pool utilization threshold status
YesNAT traversal (NAT-T) for site-to-site IPsec VPNs (IPv4)
YesPersistent NAT
YesPersistent NAT binding for wildcard ports
YesPersistent NAT hairpinning
NoMaximize persistent NAT bindings
YesPool translation
YesProxy ARP (IPv4)
YesProxy NDP (IPv6)
Copyright © 2016, Juniper Networks, Inc.34
Release Notes for Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
YesRemoving persistent NAT query bindings
YesRule-based NAT
YesRule translation
YesSource address and group address translation for multicastflows
YesSource IP address translation
YesStatic NAT
YesDeterministic NAT
YesPBA NAT
Network Operations and Troubleshooting:
YesEvent policies
YesEvent scripts
YesOperation scripts
YesXSLT commit scripts
Network Time Protocol:
Yes
NOTE: VMware recommendsusing NTP and disabling timesynchronization in theVMwaretools.
NTP support
Packet Capture:
YesPacket capture
NOTE: Packet capture, in this context, refers to standardinterface packet capture. It is not part of the IPS. Packet captureis supported only on physical interfaces and tunnel interfaces;for example, gr, ip, st0. Packet capture is not supported onredundant Ethernet interfaces (reth).
Real-Time PerformanceMonitoring Probe
YesRPM probe
YesOne-way timestamps
35Copyright © 2016, Juniper Networks, Inc.
Features Supported on Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
Routing:
YesBGP
YesBGP extensions for IPv6
NoBGP Flowspec
NoCompressed Real-Time Transport Protocol (CRTP)
NoECMP flow-based forwarding
YesInternet Group Management Protocol (IGMP)
YesIPv4 options and broadcast Internet diagrams
YesIPv6 routing, forwarding, global address configuration, andInternet Control Message Protocol (ICMP)
YesIS-IS
YesMultiple virtual routers
YesNeighbor Discovery Protocol (NDP) and Secure NDP
YesOSPF v2
YesOSPF v3
YesRIP next generation (RIPng)
YesRIP v1, v2
YesStatic routing
YesVirtual Router Redundancy Protocol (VRRP)
SecureWeb Access:
YesCAs
YesHTTP
YesHTTPS
Security Policy Support:
YesAddress books/address sets
Copyright © 2016, Juniper Networks, Inc.36
Release Notes for Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
YesCommon predefined applications
YesCustom policy applications
YesGlobal policy
YesPolicy application timeouts
YesPolicy applications and application sets
YesPolicy hit-count tracking
YesSchedulers
YesSecurity policies for self-traffic
NoSSL proxy
NoUser role firewall
YesShadow policy
Security Zone:
YesFunctional zone
YesSecurity zone
Session Logging:
YesAccelerating security and traffic logging
YesAggressive session aging
YesGetting information about sessions
YesLogging to a single server
YesSession logging with NAT information
SMTP:
YesSMTP support
SNMP:
YesSNMP support
Stateless Firewall Filters:
37Copyright © 2016, Juniper Networks, Inc.
Features Supported on Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
YesStateless firewall filters (ACLs)
NoStateless firewall filters (simple filter)
System Log Files:
YesArchiving system logs
YesConfiguring system logmessages
YesDisabling system logs
YesFiltering system logmessages
YesMultiple system log servers (control-plane logs)
YesSending system logmessages to a file
YesSending system logmessages to a user terminal
YesViewing data plane logs
YesViewing system logmessages
IDP/IPS
For SRX Series IDP/IPS configuration details, see:
https://www.juniper.net/techpubs/en_US/junos12.1X47/information-products/pathway-pages/security/security-idp-index.html.
YesAccess Control on IPS audit log
NoDiffServ code point (DSCP)marking
YesIPS alarms and auditing
YesIPS and UAC coordinated threat
NoIPS application DDoS (AppDDoS) rule base
NoIPS application identification (AppID)
YesIPS class-of-service action
NoIPS cryptographic key handling
YesIPS in an active/active chassis cluster
Copyright © 2016, Juniper Networks, Inc.38
Release Notes for Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
NoIPS operational mode - inline tap
YesIPS logging
YesIPSmonitoring and debugging
YesIPS policy
YesIPS rule base
YesIPS security packet capture
YesIPS signature database
NoIPS SSL inspection
YesJumbo frames
NoNested Application Identification
NoPerformance and capacity tuning for IPS
YesSNMPMIB for IPSmonitoring
Transparent Mode:
For information on configuring Firefly Perimeter in transparent mode, see:
http://www.juniper.net/techpubs/en_US/junos12.1X47/information-products/pathway-pages/security/security-layer2-bridging-transparent-mode.pdf.
NoApplication DoS (AppDDoS)
YesApplication Firewall (AppFW)
YesApplication QoS (AppQoS)
YesApplication Tracking (AppTrack)
YesBridge domain and transparent mode
YesChassis clusters (active/backup and active/active)
YesClass of service
YesIPv6 flows
NoIPv6 security mode
39Copyright © 2016, Juniper Networks, Inc.
Features Supported on Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
NoUser role firewall
YesUTM
Public Key Infrastructure (PKI)
YesCertificate chaining (8-deep)
UTM
For SRX Series UTM configuration details, see:
https://www.juniper.net/techpubs/en_US/junos12.1X47/information-products/pathway-pages/security/security-utm-index.html.
For SRX Series UTM Series Antispam configuration details, see:
https://www.juniper.net/techpubs/en_US/junos12.1X47/information-products/pathway-pages/security/security-utm-antispam.html.
YesAntispam (AS)
NoAntivirus (AV) Full
YesAppSecure
YesAV Sophos
YesChassis cluster
YesContent filtering (CF)
YesEWF
NoExpress Antivirus (Express AV)
YesIPsec
NoTransparent mode
YesWeb filtering (WF)
YesWELF logging
Upgrading and Rebooting:
NoAutorecovery
No (N.A.)Boot device configuration
No (N.A.)Boot device recovery
Copyright © 2016, Juniper Networks, Inc.40
Release Notes for Firefly Perimeter
Table 4: Features Supported on Firefly Perimeter (continued)
SupportonFireflyPerimeterFeature
YesChassis components control
YesChassis restart
YesDownloadmanager
NoDual-root partitioning
NoIn-band cluster upgrade
NoLow-impact cluster upgrades
YesSoftware upgrades and downgrades
User Interfaces:
YesCLI
YesJ-Web user interface
YesJunos XML protocol
YesJunos Space Security Director
Yes
Note: Supported on VMwareonly and not on KVM.
Junos Space Virtual Director
NoNetwork and Security Manager
NoSRC application
VPLS:
YesFiltering and policing (packet-based)
Table 5 on page 41 lists additional features that are not supported on Firefly Perimeter.
Table 5: Firefly Perimeter Feature Support Information
FireflyFeature
YesApplication Identification (Junos OS)
NoBGP Route Reflector
NoDynamic VPN (DVPN)
41Copyright © 2016, Juniper Networks, Inc.
Features Supported on Firefly Perimeter
Table 5: Firefly Perimeter Feature Support Information (continued)
FireflyFeature
NoGeneral Packet Radio Service (GPRS)
NoGroup VPN
NoHardware Acceleration
NoIn-ServiceSoftwareUpgrade(forallVPNandnon-VPNfeatures)
NoLogical systems
NoMulticast for AutoVPN
NoNetwork Management and Analysis (Suite B implementationfor IPsec VPN)
NoPower over Ethernet
NoRemote Device Access
NoServices Offloading
NoUSBModem
NoVoice over Internet Protocol with Avaya
NoWireless Local Area Network
Changes in Default Behavior and Syntax in Release 12.1X47-D45 for Firefly Perimeter
• Performance onVMware 5.5 update 2 or 3 can degrade significantly (25 percent) from
previous versions because of an e1000 driver issue.
Known Behavior
The known behaviors in Firefly Perimeter are as follows:
• On Firefly Perimeter, maximum performance can be achieved using two vNICs. If you
addmore vNICs you can expect a decrease in the total performance because of the
interface driver overhead. The performance behavior is applicable to both the VMware
and the KVM environments.
• On Firefly Perimeter with a KVM chassis cluster, the secondary mode crashes into
database (db) mode after startup and after synchronizing with the primary mode.
• On Firefly Perimeter, the system halts after the login prompt from the virsh console or
the vnc console. It is unable to ping/ssh/telnet to an interface or a service. Ideally, the
system should start without a halt.
Copyright © 2016, Juniper Networks, Inc.42
Release Notes for Firefly Perimeter
• Firefly Perimeter requires a configuration with 2 vCPUs, up to 10 vNICs, 2 GB RAM, and
2 GB disk space. When using IPS or UTM, the required memory size is 3 GB RAM.
• Firefly Perimeter supports VMware ESXi 5.0, 5.1, and 5.5. For KVM, Firefly Perimeter
supports CentOS 6.3, Ubuntu 14.04, and Contrail 1.0.
• The VM hardware version cannot be upgraded through the vSphere client.
• On Firefly Perimeter, family ethernet-switching and services unified-access-control are
not supported.
• On Firefly Perimeter, configuring an interface to do traffic loopback is not supported
because of a VMware e1000 NIC emulation limitation.
• On Firefly Perimeter, configuring XAuth with AutoVPN secure tunnel (st0) interfaces
in point-to-multipoint mode and dynamic IKE gateways is not supported.
Outstanding Issues in Junos OS Release 12.1X47-D45 for Firefly Perimeter
There are no outstanding issues in Junos OS Release 12.1X47-D45 for Firefly Perimeter.
Outstanding Issues in Junos OS Release 12.1X47-D40 for Firefly Perimeter
There are no outstanding issues in Junos OS Release 12.1X47-D40 for Firefly Perimeter.
Outstanding Issues in Junos OS Release 12.1X47-D35 for Firefly Perimeter
There are no outstanding issues in Junos OS Release 12.1X47-D35 for Firefly Perimeter.
Outstanding Issues in Junos OS Release 12.1X47-D30 for Firefly Perimeter
There are no outstanding issues in Junos OS Release 12.1X47-D30 for Firefly Perimeter.
Outstanding Issues in Junos OS Release 12.1X47-D25 for Firefly Perimeter
There are no outstanding issues in Junos OS Release 12.1X47-D25 for Firefly Perimeter.
Outstanding Issues in Junos OS Release 12.1X47-D20 for Firefly Perimeter
The followingproblemscurrently exist in JuniperNetworks FireflyPerimeter. The identifier
following the description is the tracking number in the Juniper Networks ProblemReport
(PR) tracking system.
Flow and Processing
• Performance onVMware 5.5 update 2 or 3 can degrade significantly (25 percent) from
previous versions because of an e1000 driver issue. [PR 1052025]
• On Firefly Perimeter, the generic routing encapsulation (GRE) interface is down when
ge-0/0/0 is set in the routing instance. [PR 1035957]
• OnFireflyPerimeter, there is aproblemwhilehandling large labels if the remoteprovider
edge (PE) router disables the vrf-label-label command. [PR 974942]
43Copyright © 2016, Juniper Networks, Inc.
Outstanding Issues in Junos OS Release 12.1X47-D45 for Firefly Perimeter
• For a Firefly Perimeter device running on Ubuntu 14.04, the commit operation time is
slow. [PR 1060459]
• On Firefly Perimeter, while using Network Configuration Protocol (NETCONF), the
commit fails with error UI_NETCONF_ERROR: NETCON. [PR 1060646]
Chassis Cluster
• On Firefly Perimeter with a chassis cluster, proxy-ndp on a reth interface fails if the
IPv6multicast is set to “33:33:0:0:0:0”. [PR 993888]
• On Firefly Perimeter, cluster connection is unstable over a control or fabric link. [PR
1066969]
Outstanding Issues in Junos OS Release 12.1X47-D15 for Firefly Perimeter
The followingproblemscurrently exist in JuniperNetworks FireflyPerimeter. The identifier
following the description is the tracking number in the Juniper Networks ProblemReport
(PR) tracking system.
Flow and Processing
• On Firefly Perimeter with KVM VirtIO interface, packet distribution is not evenly
processed for all queues. [PR 925300]
• On Firefly Perimeter, the UDP throughput for 2 vNICs on 16 vSRX instances is less than
that for 2 vNICs on a single vSRX instance. Therefore, 1 vSRX instance (with 2 vNICs
configured) performs better than 16 instances (each with 2 vNICs configured). [PR
930500]
Outstanding Issues in Junos OS Release 12.1X47-D10 for Firefly Perimeter
The followingproblemscurrently exist in JuniperNetworks FireflyPerimeter. The identifier
following the description is the tracking number in the Juniper Networks ProblemReport
(PR) tracking system.
Chassis Cluster
• In a FireflyPerimeter Layer 2 chassis cluster,when theping command is used to retrieve
self-traffic details, a 100 percent packet loss is displayed. [PR 964069]
Flow and Processing
• On Firefly Perimeter, RT_IDS logging fails. The issue is related to an IPv6 extension
header introduced in Junos OS Release 12.1X47. [PR 959922]
Interfaces and Routing
• On Firefly Perimeter, RADIUS authentication fails if the management interface in a
routing instance is configured with a default route to the management network. [PR
949530]
Copyright © 2016, Juniper Networks, Inc.44
Release Notes for Firefly Perimeter
Resolved Issues in Junos OS Release 12.1X47-D45 for Firefly Perimeter
There are no resolved issues in Junos OS Release 12.1X47-D45 for Firefly Perimeter.
Chassis Cluster
Resolved Issues in Junos OS Release 12.1X47-D40 for Firefly Perimeter
The followingproblemsare resolved in JunosOSRelease 12.1X47-D40forFireflyPerimeter.
Chassis Cluster
• On Firefly Perimeter with chassis cluster, when the samemonitored IP address is
configured onmultiple redundancy groups and the secondary IP address is changed,
updating the new IP address on the forwarding planemight fail. This issue is fixed. [PR
1022608]
Flow and Processing
• OnFirefly Perimeter,whenproxy-NDP is configured, Firefly Perimeter uses theNetwork
Simulator (NS) packets to create flow sessions instead of directly forwarding them to
the Routing Engine. This issue is fixed. [PR 1157715]
• OnFirefly Perimeter, a default route to theDHCP server is established even if theDHPC
option 3 is not set up. This issue is fixed. [PR 1151245]
• OnFirefly Perimeter, Ifmore than oneDHCP client interface IP addresses is configured,
and if the IP address of one interface changes because of DHCP renewal or release,
other interfaces in the RENEWING or REBINDING state will lose their IP address. This
issue is fixed. [PR 1156357]
J-Web
• On Firefly Perimeter, TCP/ICMP traffic reports are incorrectly displayed under the UDP
traffic category on J-Web. This issue is fixed. [PR 1171777]
Resolved Issues in Junos OS Release 12.1X47-D35 for Firefly Perimeter
There are no resolved issues in Junos OS Release 12.1X47-D35 for Firefly Perimeter.
Resolved Issues in Junos OS Release 12.1X47-D30 for Firefly Perimeter
The followingproblemsare resolved in JunosOSRelease 12.1X47-D30 for FireflyPerimeter.
Interfaces and Routing
• On Firefly Perimeter, when 8 to 10 interfaces are present in the virtual machine, some
packet loss might occur even at low bandwidth. This would show as RX drops on the
connected vswitch port. This issue is fixed. [PR 1117720]
Resolved Issues in Junos OS Release 12.1X47-D25 for Firefly Perimeter
The followingproblemsare resolved in JunosOSRelease 12.1X47-D25 for FireflyPerimeter.
45Copyright © 2016, Juniper Networks, Inc.
Resolved Issues in Junos OS Release 12.1X47-D45 for Firefly Perimeter
Flow and Processing
• In Firefly Perimeter, the generic routing encapsulation (GRE) interface is down when
ge-0/0/0 is set in the routing instance. This issue is fixed. [PR 1035957]
Resolved Issues in Junos OS Release 12.1X47-D20 for Firefly Perimeter
The following problems are resolved in Juniper Networks Firefly Perimeter.
IPS
• On Firefly Perimeter, the permitted range of values to be entered in the CLI command
set security idp sensor-configuration detector protocol-name TELNET tunable-name
sc_telnet_failed_logins tunable-value incorrectly ranges from33554432 to 1677721600.
The appropriate range is 2 to 100. This results in the commit check error out of range
when a value in the appropriate range has been configured. This issue is fixed. [PR
954372]
Flow and Processing
• On Firefly Perimeter, TCP packet re-ordering causes traffic issueswhen sub-interfaces
on reth are used. This issue is fixed. [PR 1026130]
• On Firefly Perimeter, after sending telnet traffic, some incorrect source ports and
destination ports are populating in the logmessages. This issue is fixed. [PR 1058838]
Resolved Issues in Junos OS Release 12.1X47-D15 for Firefly Perimeter
The following problems are resolved in Juniper Networks Firefly Perimeter.
Chassis Cluster
• On Firefly Perimeter with VMware, there is an issue with the chassis cluster setup in
the VMware 5.5 environment. This issue is fixed. [PR 936992]
• On Firefly Perimeter, source MAC learning might fail in Layer 2 mode if redundancy
group failover occurs immediately after an RG0 failover. Waiting 3 to 5minutes fixed
this issue. [PR 962905]
Flow and Processing
• On Firefly Perimeter, transferring UDP traffic from the same source and destination
results in a loop for further forwarding sessions. This issue is fixed. [PR 981170]
• On Firefly Perimeter, source MAC learning might fail when there is a failover in node
RG0. This issue is fixed. [PR 972358]
• On Firefly Perimeter, proxy-ndp is inactive on the reth interface. This issue is fixed. [PR
985093]
Copyright © 2016, Juniper Networks, Inc.46
Release Notes for Firefly Perimeter
Resolved Issues in Junos OS Release 12.1X47-D10 for Firefly Perimeter
The following problems are resolved in Juniper Networks Firefly Perimeter.
Chassis Cluster
• On Firefly Perimeter with a KVM chassis cluster, one of the interface cards appears
offline. The issueoccursbecauseofacontrol link failure. This issue is fixed. [PR966469]
• On Firefly Perimeter with a KVM chassis cluster, when the secondary node is rebooted
after a manual failure, the flowd fabric monitor or interface displays its link status as
Down. This issue is fixed. [PR 973945]
• On Firefly Perimeter with a VMware ESXi chassis cluster, a core file is generated during
a failover. This issue is fixed. [PR 976757]
• On Firefly Perimeter, the system is unable to capture the attack packets. This issue is
fixed. [PR 980858]
Flow and Processing
• On Firefly Perimeter, the secondary nodemight print SIGTERM or exit information in
the console and crash into dbmode. This issue is fixed. [PR 971280]
• On Firefly Perimeter, the reth port releases its aggregate physical interface. In this case,
no traffic is able to traverse the physical interface. This issue is fixed. [PR 978546]
IPS
• On Firefly Perimeter, Application Identification (AppID) is not supported. This issue is
fixed. [PR 957639]
47Copyright © 2016, Juniper Networks, Inc.
Resolved Issues in Junos OS Release 12.1X47-D10 for Firefly Perimeter
Junos OS Documentation and Release Notes
For a list of related Junos OS documentation, see
http://www.juniper.net/techpubs/software/junos/.
If the information in the latest release notes differs from the information in the
documentation, follow the Junos OS Release Notes.
To obtain the most current version of all Juniper Networks®technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
JuniperNetworkssupportsa technicalbookprogramtopublishbooksby JuniperNetworks
engineers and subject matter experts with book publishers around the world. These
books go beyond the technical documentation to explore the nuances of network
architecture, deployment, and administration using the Junos operating system (Junos
OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library,
published in conjunction with O'Reilly Media, explores improving network security,
reliability, and availability using Junos OS configuration techniques. All the books are for
sale at technical bookstores and book outlets around the world. The current list can be
viewed at http://www.juniper.net/books.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
• Online feedback rating system—On any page at the Juniper Networks Technical
Documentation site at http://www.juniper.net/techpubs/index.html, simply click the
stars to rate the content, anduse thepop-up form toprovideuswith informationabout
your experience. Alternately, you can use the online feedback form at
https://www.juniper.net/cgi-bin/docbugreport/.
• E-mail—Send your comments to [email protected]. Include the
document or topic name, URL or page number, and software version (if applicable).
Copyright © 2016, Juniper Networks, Inc.48
Release Notes for Firefly Perimeter
Requesting Technical Support
Technical product support is available through the JuniperNetworksTechnicalAssistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
• Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides youwith the
following features:
• Find CSC offerings: http://www.juniper.net/customers/support/
• Search for known bugs: http://www2.juniper.net/kb/
• Find product documentation: http://www.juniper.net/techpubs/
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
• Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/
• Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement
(SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.
Opening a Casewith JTAC
You can open a case with JTAC on theWeb or by telephone.
• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html.
49Copyright © 2016, Juniper Networks, Inc.
Requesting Technical Support
If you are reporting a hardware or software problem, issue the following command from
the CLI before contacting support:
user@host> request support information | save filename
To provide a core file to Juniper Networks for analysis, compress the file with the gzip
utility, rename the file to include your company name, and copy it to
ftp.juniper.net/pub/incoming. Then send the filename, along with software version
information (the output of the show version command) and the configuration, to
[email protected]. For documentation issues, fill out the bug report form located at
https://www.juniper.net/cgi-bin/docbugreport/.
Revision History
11 November 2016—Revision 1, Firefly Perimeter - Release 12.1X47-D45 .
Copyright © 2016, Juniper Networks, Inc. All rights reserved.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.
Copyright © 2016, Juniper Networks, Inc.50
Release Notes for Firefly Perimeter