Juniper Networks ScreenOS Release Notes DI 62 Rn 630r19 Rev01

User Manual: DI 62

Open the PDF directly: View PDF PDF.
Page Count: 116 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Juniper Networks ScreenOS Release
Notes
Release 6.3.0r19
May 2015
Revision 01
Products: Integrated Security Gateway (ISG) 1000, ISG 1000-IDP, ISG 2000, ISG
2000-IDP, Secure Services Gateway (SSG) 5, SSG 20, SSG 140, SSG 300M-series, SSG
500/500M-series, and NetScreen-5000 series (NS 5000–MGT2/SPM2 and NS
5000–MGT3/SPM3).
Contents VersionSummary....................................................9
NewFeaturesandEnhancements......................................9
New Software Features and Enhancements Introduced in 6.3.0 . . . . . . . . . . . 9
Authentication ..............................................10
Antivirus(AV)andWebFiltering................................10
BorderGatewayProtocol(BGP).................................11
CLI ........................................................11
DeviceManagement..........................................11
Dynamic Host Control Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Internet Protocol Security (IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Internet Protocol Version 6 (IPv6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
ISG-IDP Diagnostic Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
NetScreen Redundancy Protocol (NSRP) . . . . . . . . . . . . . . . . . . . . . . . . . 16
Other......................................................16
Policies ....................................................18
Routing....................................................20
Security ....................................................21
VirtualPrivateNetwork(VPN)..................................21
ChangestoDefaultBehavior..........................................22
Changes to Default Behavior Introduced in 6.3.0 . . . . . . . . . . . . . . . . . . . . . . 22
Changes to Default Behavior Introduced in 6.3.0r17 . . . . . . . . . . . . . . . . . . . . 23
Changes to Default Behavior Introduced in 6.3.0r13 . . . . . . . . . . . . . . . . . . . . 23
Changes to Default Behavior Introduced in 6.3.0r11 . . . . . . . . . . . . . . . . . . . . . 23
Changes to Default Behavior Introduced in 6.3.0r8 . . . . . . . . . . . . . . . . . . . . . 23
Changes to Default Behavior Introduced in 6.3.0r7 . . . . . . . . . . . . . . . . . . . . . 24
1Copyright © 2015, Juniper Networks, Inc.
Changes to Default Behavior Introduced in 6.3.0r5 . . . . . . . . . . . . . . . . . . . . . 24
Changes to Default Behavior Introduced in 6.3.0r4 . . . . . . . . . . . . . . . . . . . . . 24
Changes to Default Behavior Introduced in 6.3.0r3 . . . . . . . . . . . . . . . . . . . . . 24
Changes to Default Behavior Introduced in 6.3.0r1 . . . . . . . . . . . . . . . . . . . . . 24
Network and Security Manager (NSM) Compatibility . . . . . . . . . . . . . . . . . . . . . . 25
Detector and Attack Objects Update (only for ISG-IDP) . . . . . . . . . . . . . . . . . . . . 25
AddressedIssues...................................................25
Addressed Issues in ScreenOS 6.3.0r19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Admin.....................................................26
Antivirus...................................................26
DNS ......................................................26
WebUI.....................................................26
Others ....................................................26
Routing ....................................................27
Security....................................................27
VPN.......................................................27
Addressed Issues from ScreenOS 6.3.0r18 . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Admin.....................................................28
Antivirus...................................................28
WebUI ....................................................28
Others ....................................................28
Routing....................................................29
Security ...................................................29
VPN ......................................................29
Addressed Issues from ScreenOS 6.3.0r17 . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
CLI .......................................................29
Others ....................................................30
Security ...................................................30
Routing ....................................................31
VPN.......................................................31
WebUI .....................................................31
Addressed Issues from ScreenOS 6.3.0r16 . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Others.....................................................32
Security....................................................32
WebUI.....................................................33
Addressed Issues from ScreenOS 6.3.0r15 . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
CLI........................................................33
Others.....................................................33
Security ...................................................35
VPN ......................................................35
WebUI.....................................................35
Addressed Issues from ScreenOS 6.3.0r14 . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Admin.....................................................36
ALG.......................................................36
Antivirus(AV)...............................................36
Others ....................................................36
Routing ....................................................37
Security....................................................37
VPN.......................................................37
Copyright © 2015, Juniper Networks, Inc.2
ScreenOS 6.3.0 Release Notes
WebUI.....................................................37
Addressed Issues from ScreenOS 6.3.0r13 . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
ALG.......................................................38
Antivirus(AV)...............................................38
Logging....................................................38
Other .....................................................38
Routing....................................................39
Screen ....................................................39
SNMP.....................................................39
VPN ......................................................39
WebUI ....................................................39
Addressed Issues from ScreenOS 6.3.0r12 . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
ALG ......................................................40
Authentication..............................................40
Antivirus (AV) ..............................................40
Logging ...................................................40
Management...............................................40
NSRP .....................................................40
Other .....................................................40
Routing....................................................42
SNMP.....................................................42
VPN ......................................................43
WebUI.....................................................43
Addressed Issues from ScreenOS 6.3.0r11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
ALG.......................................................43
Antivirus(AV)...............................................43
IDP .......................................................43
Management ...............................................43
NAT ......................................................44
NSRP .....................................................44
Other .....................................................44
Routing....................................................45
VoIP ......................................................46
VPN ......................................................46
WebUI ....................................................46
Addressed Issues from ScreenOS 6.3.0r10 . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
ALG.......................................................46
IDP .......................................................46
Management ...............................................46
NSRP .....................................................47
Other .....................................................47
Performance ...............................................48
Routing....................................................48
Security ...................................................48
VOIP......................................................48
VPN ......................................................49
WebUI ....................................................49
3Copyright © 2015, Juniper Networks, Inc.
Addressed Issues from ScreenOS 6.3.0r9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Administration..............................................49
ALG.......................................................49
HA&NSRP................................................49
IDP .......................................................49
Management...............................................50
Other .....................................................50
Performance................................................51
Routing ....................................................51
VOIP ......................................................51
VPN.......................................................51
WebUI .....................................................51
Addressed Issues from ScreenOS 6.3.0r8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Administration ..............................................52
ALG.......................................................52
Antivirus ...................................................52
Authentication..............................................52
CLI........................................................52
DNS ......................................................52
IDP .......................................................52
Management ...............................................53
Other .....................................................53
Routing....................................................54
VPN ......................................................54
WebUI ....................................................54
Addressed Issues from ScreenOS 6.3.0r7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
ALG.......................................................54
Antivirus...................................................54
Authentication..............................................55
CLI .......................................................55
Management ...............................................55
NAT.......................................................55
Other .....................................................55
Routing....................................................56
VoIP ......................................................56
VPN ......................................................56
WebUI.....................................................57
Addressed Issues from ScreenOS 6.3.0r6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Administration..............................................58
Antivirus...................................................58
Authentication..............................................58
CLI .......................................................58
DI ........................................................58
DNS ......................................................58
GPRS .....................................................58
HA&NSRP................................................58
IDP .......................................................59
Management ...............................................59
Other .....................................................59
Copyright © 2015, Juniper Networks, Inc.4
ScreenOS 6.3.0 Release Notes
Routing ...................................................60
Security ...................................................60
VoIP ......................................................60
VPN ......................................................60
WebUI .....................................................61
Addressed Issues from ScreenOS 6.3.0r5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Administration ..............................................61
Antivirus ...................................................61
Authentication ..............................................61
DHCP .....................................................62
DI ........................................................62
HA&NSRP................................................62
IDP .......................................................62
Management ...............................................62
NAT.......................................................62
Other .....................................................62
Routing....................................................63
VoIP ......................................................63
VPN ......................................................63
Addressed Issues from ScreenOS 6.3.0r4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Administration..............................................64
ALG.......................................................64
Antivirus...................................................64
Authentication..............................................64
CLI .......................................................64
DHCP .....................................................64
HA&NSRP................................................64
IDP .......................................................64
Management ...............................................65
Other .....................................................65
Performance ...............................................67
Routing....................................................67
VoIP ......................................................67
VPN ......................................................67
WebUI.....................................................67
Addressed Issues from ScreenOS 6.3.0r3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Administration..............................................68
Antivirus...................................................68
DHCP .....................................................68
GPRS .....................................................68
HAandNSRP..............................................69
IDP .......................................................69
Management...............................................69
NAT.......................................................70
Other .....................................................70
Performance ................................................71
Routing ....................................................71
VoIP.......................................................72
VPN.......................................................72
5Copyright © 2015, Juniper Networks, Inc.
WebUI.....................................................72
Addressed Issues from ScreenOS 6.3.0r2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Administration ..............................................73
Antivirus(AV)...............................................73
Authentication ..............................................73
CommandLineInterface(CLI).................................74
DeepInspection(DI).........................................74
DomainNameSystem(DNS)..................................74
General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
High Availability and NetScreen Redundancy Protocol (HA and
NSRP) .................................................74
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . 74
Management ...............................................74
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Other......................................................75
Performance ...............................................76
Routing....................................................76
Voice-over-Internet Protocol (VoIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
VirtualPrivateNetwork(VPN).................................76
WebUI .....................................................77
Addressed Issues from ScreenOS 6.3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Administration ..............................................77
ApplicationLayerGateway(ALG)...............................77
Antivirus(AV)...............................................77
Authentication..............................................78
CommandLineInterface(CLI).................................78
DeepInspection(DI).........................................78
DomainNameSystem(DNS)..................................78
Flow ......................................................78
General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
High Availability and NetScreen Redundancy Protocol (HA and
NSRP).................................................79
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . 79
Internet Protocol Version 6 (IPv6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Management...............................................80
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Other......................................................81
Performance ...............................................82
Routing....................................................82
Voice-over-Internet Protocol (VoIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
VirtualPrivateNetwork(VPN).................................83
WebUI ....................................................83
KnownIssues......................................................84
KnownIssuesinScreenOS6.3.0r19.................................84
Others ....................................................84
Security ...................................................84
WebUI ....................................................84
Known Issues from ScreenOS 6.3.0r18 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Known Issues from ScreenOS 6.3.0r17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Copyright © 2015, Juniper Networks, Inc.6
ScreenOS 6.3.0 Release Notes
Known Issues from ScreenOS 6.3.0r16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Known Issues from ScreenOS 6.3.0r15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Known Issues from ScreenOS 6.3.0r14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Known Issues from ScreenOS 6.3.0r13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Known Issues from ScreenOS 6.3.0r12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Other .....................................................85
Known Issues from ScreenOS 6.3.0r11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
ALG.......................................................85
Management ...............................................85
Other .....................................................85
Routing....................................................86
VPN ......................................................86
Known Issues from ScreenOS 6.3.0r10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
IDP .......................................................86
NSRP .....................................................86
Other .....................................................86
VPN ......................................................87
Known Issues from ScreenOS 6.3.0r9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
DHCP .....................................................87
Management ...............................................87
Other .....................................................87
Performance ...............................................88
VPN ......................................................88
WebUI ....................................................88
Known Issues from ScreenOS 6.3.0r8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
ALG ......................................................88
Management...............................................88
Other .....................................................88
UTM......................................................88
VoIP ......................................................89
VPN ......................................................89
WebUI ....................................................89
Known Issues from ScreenOS 6.3.0r7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Admin.....................................................89
Antivirus...................................................89
Authentication..............................................89
CLI .......................................................89
DNS ......................................................89
IDP .......................................................89
Management...............................................90
Other .....................................................90
Routing ...................................................90
VPN ......................................................90
WebUI .....................................................91
Known Issues from ScreenOS 6.3.0r6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Known Issues from ScreenOS 6.3.0r5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Known Issues from ScreenOS 6.3.0r4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Other......................................................91
VPN.......................................................91
7Copyright © 2015, Juniper Networks, Inc.
Known Issues from ScreenOS 6.3.0r3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Known Issues from ScreenOS 6.3.0r2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Antivirus(AV)...............................................92
DHCP .....................................................92
General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . . 92
Management ...............................................92
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Other .....................................................92
Performance ...............................................93
Routing....................................................93
VirtualPrivateNetwork(VPN).................................93
KnownIssuesfromScreenOS6.3.0.................................93
Flow ......................................................94
General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Hardware..................................................94
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 94
Other .....................................................94
Routing....................................................95
Voice-over-Internet Protocol (VoIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Security ...................................................95
VirtualPrivateNetwork(VPN).................................95
Errata ............................................................95
Concepts & Examples ScreenOS Reference Guide . . . . . . . . . . . . . . . . . . . . . 96
ScreenOS CLI Reference Guide: Command Descriptions . . . . . . . . . . . . . . . 108
ScreenOS Message Log Reference Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
ScreenOSOnlineHelp...........................................110
Hardware Installation and Configuration Guide . . . . . . . . . . . . . . . . . . . . . . . . 111
ScreenOSUpgradeGuide.........................................111
LimitationsandCompatibility.........................................112
Limitations of Features in ScreenOS 6.3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
DocumentationChanges.............................................115
Getting Help for ScreenOS 6.3.0 Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Copyright © 2015, Juniper Networks, Inc.8
ScreenOS 6.3.0 Release Notes
Version Summary
ScreenOS 6.3.0 firmware can be installed on the following products: Secure Services
Gateway (SSG) 5, SSG 20, SSG 140, SSG 320M/350M, SSG 520/520M, SSG 550/550M,
Integrated Services Gateway (ISG) 1000, ISG 1000-IDP, ISG 2000, ISG 2000-IDP, and
NetScreen-5000 series with the NS 5000-MGT2/SPM2 and NS 5000-MGT3/SPM3.
This release incorporates bug fixes from ScreenOS maintenance releases 5.4.0r26 to
6.3.0r18.
NOTE:
If you are using an SSG 500-series device and an SSG 500M-series device
in a NetScreen Redundancy Protocol (NSRP) environment, all devices
must be running ScreenOS 6.0.0r1 or later.
NSRP clusters require the use of the same hardware products within a
cluster. Do not mix different product models in NSRP deployments. The
exception to this rule is SSG 500-series and 500M-series devices, which
can be used together in a cluster.
New Features and Enhancements
The following sections describe new features and enhancements available in the
ScreenOS 6.3.0 release.
NOTE: You must register your product at http://support.juniper.net to activate
licensed features such as antivirus (AV), deep inspection (DI), and virtual
systems (vsys) on the device. To register your product, you need the model
and serial numbers of the device. At the support page:
If you already have an account, enter your user ID and password.
If you are a new Juniper Networks customer, first create an account, then
enter your ID and password.
After registering your product, confirm that your device has Internet
connectivity. Use the exec license-key update all command to connect the
device to the Juniper Networks server and activate your desired features.
New Software Features and Enhancements Introduced in 6.3.0
The following sections describe the new features introduced in the ScreenOS 6.3.0
release.
9Copyright © 2015, Juniper Networks, Inc.
Version Summary
Authentication
User Authentication—Beginning with ScreenOS 6.3.0, the Juniper Networks security
device supports authentication redirection for HTTP traffic that is directed to a
nonstandard destination port.
Antivirus (AV) and Web Filtering
Sophos Anti-Spam to replace Symantec Anti-Spam—Beginning mid-September
2009, Sophos Anti-Spam service will be made available to the ScreenOS-based
products; SSG, and ISG. The Sophos Anti-Spam service will replace the Symantec
Anti-Spam.
There will be no impact to customers running any version of ScreenOS. No configuration
changes are required. The redirection to Sophos servers will be automatic and
transparent to the end-user. The security devices will be pointed to the Sophos servers.
Antispam—Beginning with ScreenOS 6.2.0, Antispam enhancement inspects the
parameters in the received email header.
Juniper Full Antivirus Database—Beginning with ScreenOS 6.3.0, Kaspersky Lab
supports only a single antivirus database known as Juniper Full Antivirus Database.
The existing databases such as extended, itw and standard are removed.
Virus Description and Alert Message—If the data sent in FTP or HTTP Traffic contains
a virus, the security device replaces the data with a warning message or drops the data.
In both cases, a message with a URL link that describes the virus is logged.
For SMTP, IMAP and POP3 Traffic, the security device in addition to the above, changes
the content type to text/plain, replaces the body of the message with a notice and a
URL link that describes the virus, sends it to the appropriate recipient, and notifies the
sender.
Web Filtering Whitelists and Blacklists Without a LicenseWeb filtering supports
the following features even if the license key is not installed or has expired:
Define Web-filtering profiles and bind them to policies
Retrieve category information for HTTP requests
Define static whitelist and blacklist categories
Check cache for categories
NOTE: The device does not support checking the cache for categories
if the key is not installed, but it does support this check if the key is
expired.
Integrated Web Filtering Based on Group Membership—In the previous release, the
URL filter profile was bound to policy. Beginning with ScreenOS 6.3.0 release, the
administrator can bind the profile to user group. The Web Filtering (WF) Manager
extracts the URL from the request and identifies the username and user group
Copyright © 2015, Juniper Networks, Inc.10
ScreenOS 6.3.0 Release Notes
associated with the IP address. If the user belongs to multiple user groups, the WF
Manager binds the profile with the user group that has highest priority. Then, the WF
Manager identifies the category of the URL and permits or blocks the request
accordingly. User groups can be prioritized.
Increased Number of Web-Filtering Profiles on SSG 500–series—For integrated Web
filtering, the number of customer-defined profiles for SSG 550 and SSG 520 devices
is increased to 300 profiles from 50 (SSG 550) and 25 (SSG 520).
Border Gateway Protocol (BGP)
Redistributing Routes in BGP—For each virtual router (VR), BGP can support up to
17000 redistributable routes. The increase in redistributable routes in BGP to 17000
applies to the NetScreen-5000 platforms only.
Display Format of BGP Community Lists—Beginning with ScreenOS 6.3.0, the
configuration file displays the BGP community lists in a new AA NN format, where AA
identifies autonomous system and NN identifies community. This new format is in
compliance with RFC-1997.
CLI
x-in-ip
set envar x-in-ip
In [ISG-1000 and ISG-2000] devices, Protocol 97 forwards traffic through
CPU and not hardware, causing high CPU. To allow the unknown protocols
like Protocol 97, use the following command: set envar x-in-ip=yes
Use unset command to disable envar.
x-in-ip
Example: The following command allows the unknown protocols like Protocol 97 on
the device:
set envar x-in-ip=yes
reset
Device Management
Enabling Syslog on Backup Devices—By default, backup devices in an active/passive
NSRP configuration send all syslog messages to the syslog server. This allows an
administrator to effectively monitor backup devices.
Simple Network Management Protocol Version 3 (SNMPv3)— ScreenOS 6.3.0
supports SNMPv3 framework. System status data can be collected securely from the
device without the data being tampered with and corrupted. The SNMPv3 USM allows
ScreenOS to encrypt the confidential information to prevent the contents from being
exposed on the network. The SNMPv3 VACM provides a configurable access control
model for easy administration.
Interface Administrative Status—ScreenOS 6.3.0 supports a command for setting
an interface administrative status to the down state. By default, the administrative
11Copyright © 2015, Juniper Networks, Inc.
New Features and Enhancements
status of an interface is set as up. The administrator can disable the administrative
status of an interface with the CLI:
set interface xx disable
Increased Number of Hosts per SNMP Community—Beginning with the ScreenOS
6.3.0 release, you can configure 64 hosts per SNMP community. In earlier releases of
ScreenOS, this value was limited to no more than 40 hosts per SNMP community.
Include Device Serial Number in Log Messages—Beginning with the ScreenOS 6.3.0
release, for system logs, the device serial number is used as a unique device identifier
within the logs.
VLAN1 Interface to Support DHCP and AUTO Configuration—Beginning with the
ScreenOS 6.3.0 release, the VLAN1 interface of a device in transparent mode supports
the DHCP client and AUTO CONFIG features.
Loading Configuration from USBWhen the SSG device initializes, and if the
administrator has configured envar properly, then ScreenOS can check if the USB
device is connected to the port and loads the configuration file usb: auto_config.txt (if
the file is stored in the USB device).
Dynamic Host Control Protocol (DHCP)
DHCP supportThe maximum number of DHCP relay agents supported is enhanced
from 3 to 4.
Internet Protocol Security (IPsec)
AC VPN Enhancements—ScreenOS 6.3.0 supports dual-hub Auto Connect virtual
private network (AC-VPN) where one hub remains active, passing the traffic from one
spoke to another spoke until a dynamic VPN tunnel is established. The hub with the
highest routing instance priority becomes the active one. The spokes use the VPN
monitoring feature to check the status of the hubs. When the hub acting as a primary
fails, the dynamic tunnel and its associated NHRP routing instance are removed at
both the spokes. Traffic begins to pass through the other hub, which creates a new
dynamic tunnel. If the failed hub comes back, the spokes choose this hub again because
of the priority setting. However, the traffic continues to flow through the newly created
dynamic tunnel until the other fails.
Support for Multiple Proxy IDs Over Route-Based VPN—ScreenOS 6.3.0 supports
multiple proxy IDs on a route-based VPN. If multiple tunnels exist between peers, the
security device uses proxy IDs to route the traffic through a particular tunnel. For each
proxy ID, a specific tunnel and Phase 2 SA are associated. When traffic matching a
proxy ID arrives, the security device does a proxy-ID check to route that traffic. If multiple
proxy IDs are defined for a route-based VPN, a proxy ID check is always performed,
even if it is disabled. In a hub-and-spoke topology, proxy IDs should be defined for both
hub-to-spoke and spoke-to-spoke configurations.
DPD EnhancementScreenOS 6.3.0 provides a DPD enhancement that allows the
dead peer to failover the tunnel to another VPN group member with the second highest
weight. It uses the DPD reconnect parameter to renegotiate the tunnel with the dead
Copyright © 2015, Juniper Networks, Inc.12
ScreenOS 6.3.0 Release Notes
peer at specific intervals. If the tunnel is successfully renegotiated, the tunnel fails back
to the first member.
Elliptical Curve Diffie-Hellman Key Arrangement—ScreenOS 6.3.0 supports elliptical
curve Diffie-Hellman (ECDH) groups 19 and 20 for Internet Key Exchange version 1
(IKEv1) key exchange. ECDH uses elliptical curve cryptography to generate public-private
key pair. The module sizes of DH groups 19 and 20 are 256 bits and 384 bits ECDH
prime curves, respectively.
Support Authentication Header Transport Mode—[ISG 1000/2000, NS 5200/5400
M2/SPM2 , NS 5200/5400 M3/SPM3] ScreenOS 6.3.0 supports authentication header
(AH) transport mode on high-end systems for IPv4 packets only. This feature does not
work if IPv6 is enabled in the system environment.
IKEv2 Configuration Payload (CP) and Dial-up Support—Support for IKEv2
configuration payload (CP) for dynamic end points and IKEv2 dial-up group user VPN
is available in this release. For details on the implementation, refer to the Concepts &
Examples ScreenOS 6.3.0 Reference Guide.
Internet Protocol Version 6 (IPv6)
Support OSPFv3 for IPv6 —Beginning ScreenOS 6.3.0, Juniper Networks security
device supports OSPFv3 for IPv6. Most configuration and operational commands
function essentially the same as in OSPFv2.
OSPFv3 does not support the following features:
NBMA link and neighbor authentication
Demand Circuit and NSSA
Multiple instances per link.
OSPFv3 is supported across all platforms. However, advanced mode license is required
to run it on the following devices:
ISG1000
ISG1000 with SM
ISG2000
ISG2000 with SM
Command to Inhibit AAAA Requests over IPv4—ScreenOS 6.3.0 provides an option
to enable or disable the Network Address Translation-Port Translation Domain Name
System Application Layer Gateway (NAT-PT DNS ALG) to modify DNS requests
received from the IPv6 domain. Besides translating the addresses for transmitted DNS
requests, the NAT-PT DNS ALG also modifies the DNS request before forwarding it to
another domain that has only IPv4 addresses. By default, this option is disabled.
IPv6 Prefix and DNS Information Update—ScreenOS 6.3.0 supports dynamic IPv6
prefix and DNS information update from the upstream DHCPv6 server. A CPE router
acting as a DHCPv6 and PPPoE client negotiates IPv6 prefixes and DNS information
for the downstream DHCPv6 server on the other interface of the same CPE router. If
the connection between the CPE router and the upstream DHCPv6 server is
13Copyright © 2015, Juniper Networks, Inc.
New Features and Enhancements
disconnected and then re-established, the CPE router updates the newly learned IPv6
prefix and DNS information dynamically on the downstream DHCPv6 server without
waiting for the delegated prefix to expire.
SIBR IPv6 Support—Beginning with ScreenOS 6.3.0r13, the Source Interface-Based
Routing (SIBR) feature supports IPv6 SIBR tables. When SIBR is enabled in a virtual
router (VR), the security device performs route lookup in an SIBR routing table. The
configuration of this feature remains the same, except for the fact that the interface
gateway cannot be used as a next-hop if the IPv6 gateway parameter is not specified.
The CLI command is updated as:set vrouter <vr_name> route source in-interface
<interface_name> <IPVX_addr1/mask> interface <interface_name> gateway
<IPVX_addr2>
Client-to-Site IPv6 VPN Support—Beginning with ScreenOS 6.3.0r13, configuring IPv6
addresses from a server to a client is now supported with IPv6 IP pools. A new command
has been introduced:set ippool [ippool name]<ipv6 address> <ipv6 address>.
ISG-IDP Diagnostic Improvements
IPv6 Full Support on ISG-IDP—Beginning with ScreenOS 6.3.0, ISG Security Module
provides IPv6 support for the following features: packet capture and packet logs for
IPV6 traffic; configure header match information for IPv6 traffic and ICMPv6 messages;
IPv6 traceroute anomaly; IPv6 log messages in the NSM log viewer.
ISG-IDP Means to Identify the Secure Module (SM) Used by a Session—Beginning
with ScreenOS 6.3.0, users can identify which SM card and CPU a session is using. It
is possible to filter the session table output with the CLI command get session sm-slot
slot-id sm-cpu cpu-no.
Command for Displaying CPU Usage on SM—Beginning with ScreenOS 6.3.0, users
can enable the security device to calculate the CPU usage of the ISG Security Module
for the last 60 seconds, last 60 minutes, and last 24 hours by using the
sc_enable_cpu_usage parameter.
Transfer Core Dump to the Management Module Flash or Compact Flash—Beginning
with ScreenOS 6.3.0, users can transfer the core dump files from the RAM disk of the
ISG Security Module to the flash memory of the management module using the CLI
command set sm-ctx coresave.
SNMP Trap and Event Log Entries for ISG with IDP—From ScreenOS 6.3.0, ISG Security
Module supports generating log messages and SNMP Traps when CPU usage, memory
usage, and session count per IDP security module exceeds the user-defined threshold.
The device also generates messages when it detects an IDP security module failure.
NOTE: The user-defined threshold value is not stored in NSM. The value
is reset to the default once the system reboots.
Inspection of Multicast traffic by IDP Security Module—Beginning with ScreenOS
6.3.0, users can enable ISG Security Module to inspect multicast traffic by using the
CLI command set flow multicast idp.
Copyright © 2015, Juniper Networks, Inc.14
ScreenOS 6.3.0 Release Notes
NOTE: For multicast traffic inspection, all outgoing interfaces should belong
to the same zone.
UAC Integration with Role-Based IDP Policy—From ScreenOS 6.3.0, ISG Security
Module can support role-based IDP policy. Administrators can configure the security
device to inspect traffic using either user roles or source IPs. When user-role-based
IDP inspection is selected, the security device starts checking user-role-based policies
first; if a match is not found, only then the security device searches for IP-based rules.
This feature requires UAC deployment and role information is provided by Infranet
Controller.
Network Address Translation (NAT)
Enhancement to IKE and ESP Passthrough Traffic—Beginning with ScreenOS 6.3.0,
Network Address Translation (NAT) supports both NAT-Traversal and
Non-NAT-Traversal IKE and IPsec passthrough traffic. The Application Layer Gateway
(ALG) is enabled to support interface NAT and IKE DIP pool NAT.
Support for More Than 62946 Sessions per IP in a DIP Pool When the security
device performs NAT-src with a DIP pool containing an IP address range with PAT
enabled, each DIP:DPort pair can only be assigned to one session. Beginning with
ScreenOS 6.3.0, you can enable DIP to support multiple sessions per DIP:DPort. The
DIP pool supports multiple session per DIP:DPort only if two packets have different
destination IP addresses. After configuring the DIP pool scale size, every IP address
contains multiple port pools that consist of all available ports for an IP address. Every
IP can support up to scale-size* 62463 sessions.
The maximum scale size for an interface cannot exceed the DIP scale size value
specified in the vsys profile.
TCP Session Close Notification—ScreenOS sends a TCP session close notification
ACK message to both the client and the server when a session is being closed.
To enable a policy to send TCP session close notification, complete the following
prerequisites:
You must enable TCP SYN checking and TCP reset options in both the client and
the server zones.
You must enable TCP sequence check only for ISG 1000/2000 and NS 5200/5400.
Creating a Session Cache to Accelerate HTTP Traffic—Beginning with ScreenOS
6.3.0, you can create a session cache for HTTP-based protocols to minimize CPU
utilization and to enhance performance. A session cache is a special structure that
caches all the reusable information of both software and hardware sessions created
by the first connection of an HTTP session bundle.
A session cache supports other traffic but does not ensure performance enhancement.
You cannot create a session cache for the following conditions:
When the session is synched from another security device.
15Copyright © 2015, Juniper Networks, Inc.
New Features and Enhancements
When the session is created by an Application Layer Gateway (ALG).
Importing Traffic to the Correct VSI by Proxy ARPThe administrator can enable
importation of traffic to the correct VSI by setting the proxy ARP entry. Upon adding a
proxy ARP entry on an interface, ScreenOS imports the traffic that is destined to the
IP range using this interface.
You can use the CLI command proxy-arp-entry or WebUI Network > Interface > Edit>
Proxy ARP Entries to set the proxy ARP entry.
NAT-Dst Port Shift using VIP—Using the port-range VIP entry, a range of ports can be
mapped between Virtual IP and Real Server IP.
NetScreen Redundancy Protocol (NSRP)
Add More Detail to the Output of get nsrpThe output of the get nsrp vsd-group
command includes a new column; the uptime column for VSD group or myself uptime
column for current security device denotes the duration in the primary or backup state.
Other
Hot Patch Management—Beginning with ScreenOS 6.3.0, the hot patch enables
injecting the customer service patch into the running image without rebooting the
security device. The hot patch as debug patch provides for easier debugging.
The ScreenOS hot patch management component runs on the security device and
performs the following functions:
Loads the hot patch file from TFTP to flash memory
Removes the hot patch file from flash memory
Maintains the patch finite state machine (FSM)
Cache Recently Used Route and ARP Entries—Beginning with ScreenOS 6.3.0, Juniper
Networks security device allows the user to cache recently used route and ARP entries
for destination routes by using the set flow route-cache command. This feature does
not work if ECMP is enabled.
Ability to Add exec and save Commands to Scripting Tool—Beginning with ScreenOS
6.3.0 release, the ScreenOS scripting tool supports the exec and save commands.
These commands are visible in the script context record. The parser identifies these
commands in the script record context and saves them into the script. This
enhancement enables the user to execute commands that facilitate troubleshooting.
Timeout for Track IP—Beginning with ScreenOS 6.3.0, the user can set the maximum
timeout value for track IP.
Boot with Default Gateway IPThe new ScreenOS boot loader allows you to define
a default gateway IP, then user can download image from a remote TFTP server.
Identifying Gigabit Interface—Beginning with ScreenOS 6.3.0, users can identify the
type of gigabit interface using the CLI command get interface interface-name.
Copyright © 2015, Juniper Networks, Inc.16
ScreenOS 6.3.0 Release Notes
Boot Loader for SSG and Boot ROM Version for ISG or NetScreen–5000 series
Displayed in CLI—Beginning with ScreenOS 6.3.0, you can view the boot loader for an
SSG device and boot ROM version for ISG or NetScreen–5000 device using the get
system command.
Example 1:
ssg20-> get system
BOOT Loader Version: 1.3.2
Example 2:
nsisg2000-> get system
BOOT ROM Version: 1.1.0
WELF Log Format Enhancement—Beginning with ScreenOS 6.3.0, enhancements
have been made to the event log, traffic log and IDP log formats to follow the WELF
log regulation. If backup for the logs is enabled, logs can be sent to a maximum of four
Webtrends servers. TCP or UDP transport protocol can be used for communication.
IP connections can be manually reset. The following log types must be sent along with
the appropriate heading prefix:
Configuration log [Config Change]
URL Filter Detection [URL filtering]
AntiVirus Detection [AntiVirus]
Antispam Detection [AntiSpam]
IPS/DI Detection [IPS/DI]
Screen Attack [Attack]
SCTP Protocol Filtering—Beginning with ScreenOS 6.3.0, the existing Stream Control
Transmission Protocol (SCTP) stateful firewall supports protocol filtering. You can
configure the security device to permit or deny traffic based on the SCTP Payload
Protocol and M3UA Service Indicator. The Payload Protocol identifies the type of data
being carried out by the SCTP data chunk, the M3UA Service Indicator identifies the
type of data being carried out by the M3UA data message. Based on the Payload
Protocol, you can create an SCTP profile and bind it to a policy.
NOTE: ScreenOS supports SCTP protocol filtering on NetScreen-5000
and ISG series devices only.
Converting join-group igmp Commands to exec join-group—Beginning with ScreenOS
6.3.0, the exec join-group and exec leave-group commands replace the set igmp
join-group and unset igmp join-group commands. The exec join-group command replaces
the set join-group command. The exec leave-group command replaces the unset
join-group command. There is no impact on the functionality of the commands. The
set and unset commands are deprecated.
Boot Loader for SSG-140A new boot loader version Loadssg140v326.d has been
released for SSG-140 platform. For more information, see the JTAC knowledge base
number KB 23407 located at http://kb.juniper.net/KB23407
17Copyright © 2015, Juniper Networks, Inc.
New Features and Enhancements
Policies
Policy Installation Enhancement —Beginning with ScreenOS 6.3.0, the policy
installation process has been enhanced.
The new process provides the following advantages:
Avoids frequent policy re-installation caused by dynamic DNS address changes.
Eliminates traffic drops while installing the policy.
Allows the user to configure the hold-interval option of policy installation using the
following CLI command:
set policy install hold-interval seconds
The default value is 5 seconds. The minimum is 0 and the maximum is 10. This
command specifies the maximum time interval between when policy configuration
occurs and actual policy installation begins. When the user creates a new policy or
modifies an existing policy, the policy installation is delayed by up to the value of
hold-interval value specified. This allows the system to more efficiently process the
session table by handling several updates at once or by reducing the thrashing caused
by extremely rapid updates.
unset policy install hold-interval
The unset command resets the default value of hold-interval.
Example: To configure hold-interval option to 2 seconds:
set policy install hold-interval 2
DSCP Marking for Self-Initiated Traffic—Beginning in ScreenOS 6.3.0r12, you can
configure IKE packets with DSCP values for self-initiated packets. During IKE module
process negotiation, the configured IKE packets marked with the values can be used.
To mark the IKE packets with the specified value, enable the service using the command
set ip service ike dscp <dscp-value>.
DSCP Marking Based on Policy Configuration—In ScreenOS 6.3.0r12, when a session
matches a policy with DSCP enabled, the bidirectional traffic performs the DSCP
marking.
The DSCP feature is now enhanced to prevent DSCP re-marking packets that already
have a DSCP value. This feature enables a DSCP group to have more than one DSCP
value for a packet.
The DSCP marking for each packet is checked to determine whether the DSCP value
belongs to a DSCP group before the packet does the DSCP marking. If the DSCP value
does not belong to a DSCP group, the device retains the packet's DSCP value.
Low-End Platforms—For CPU-based platforms, all packets in the first path or fast
path are checked for DSCP value and DSCP marking based on policy configuration.
The configuration is effective in all conditions irrespective of whether the first packet
matches the policy configuration or not.
High-End Platforms—For high-end platforms, the DSCP marking for fast path is
processed by the ASIC according to the session installed by the first path. Only the first
Copyright © 2015, Juniper Networks, Inc.18
ScreenOS 6.3.0 Release Notes
path is checked for the DSCP value to determine the DSCP marking based on policy
configuration.
If the first packet arrives with an existing DSCP value and if the DSCP value does not
belong to the DSCP group in the policy configuration, then the session will not perform
DSCP marking for that packet. Subsequent packets in the session will also not have
the DSCP marking done even if the DSCP value matches the DSCP group in the policy
configuration.
NOTE: If the policy has been configured as no-hw-sess in high-end
platforms, then the implementation is same as in low-end platforms, as
all the packets are processed by the CPU.
The DSCP group is used to classify traffic within the device and to classify a number
of DCSP values having the same behavior as the configured DSCP group. The DSCP
group allows you :
To create a DSCP group and to define the DSCP group type. The maximum number
of DSCP groups allowed per VSYS is 64. The DSCP group types are:
Include—Specifies adding or including the DSCP values to the configured DSCP
group . By default, the DSCP value for a group is zero.
set dscp-group name <group name> include
Exclude—Specifies to removing or excluding the DSCP values from the configured
DSCP group. By default, the group contains 64 DSCP values.
set dscp-group name <group name> exclude
To configure a DSCP value for a policy. If a DSCP value is not configured for any
policy, then you can insert a DSCP value into a DSCP group, or you can delete a DSCP
value from a DSCP group.
set dscp-group <group name> dscp-value <low number>-<high number>
To display the DSCP group information.
get dscp-group <group name>
To bind a DSCP group to a policy for low-end platforms:
Set policy from <zone_name> to <zone_name> <src_addr_name> <dst_addr_name>
<service name> <action> traffic dscp enable <value> group-dscp <group name>
Set policy from <zone_name> to <zone_name> <src_addr_name> <dst_addr_name>
<service name> <action> traffic dscp enable group-dscp <group name>
Set policy from <zone_name> to <zone_name> <src_addr_name> <dst_addr_name>
<service name> <action> traffic dscp enable value <value> group-dscp <group name>
Set policy from <zone_name> to <zone_name> <src_addr_name> <dst_addr_name>
<service name> <action> traffic dscp enable group-dscp <group name>
To bind a DSCP group to a policy for high-end platforms:
19Copyright © 2015, Juniper Networks, Inc.
New Features and Enhancements
Set policy from <zone_name> to <zone_name> <src_addr_name> <dst_addr_name>
<service name> <action> traffic priority <value> dscp value <value> group-dscp <group
name>
Set policy from <zone_name> to <zone_name> <src_addr_name> <dst_addr_name>
<service name> <action> traffic dscp value <value> group-dscp <group name>
Set policy from <zone_name> to <zone_name> <src_addr_name> <dst_addr_name>
<service name> <action> traffic priority <value> group-dscp <group name>
Routing
IRDP Support for All Platforms—Beginning with ScreenOS 6.3.0 release, ICMP Router
Discover Protocol (IRDP) support is available on all platforms; however, IRDP support
is available only on an Ethernet interface with an IP address.
DSCP Marking for Self-Initiated TrafficThe administrator can configure the DSCP
value for traffic initiated by the security device. The DSCP value can be configured for
11 services: BGP, OSPF, RIP, RIPNG, TELNET, SSH, WEB, TFTP, SNMP, SYSLOG, and
WEBTRENDS. You can use both the CLI and the WebUI to configure DSCP marking.
QoS Classification Based on Incoming Markings—In ScreenOS 6.3.0, traffic-shaping
policies are enhanced to support quality of service (QoS) based on the IP precedence
and Differentiated Services code point (DSCP) marking of incoming packets. The QoS
classification feature for incoming traffic works only if the traffic-shaping mode is set
to Auto or On.
Adding Routes to BGP—In ScreenOS 6.3.0r11, the Border Gateway Protocol (BGP)
conditional advertisement feature supports route advertisement using different address
family checks. By default, a BGP advertises the best routes in its routing table to its
peers. You can use the BGP conditional advertisement feature by using the check option
in set vr <virtual-router-name> protocol bgp command to configure conditional
advertisement of BGP routes to a peer or a peer group in a different address family.
BGP conditional advertisement is supported in IPv4 and IPv6 address families.
To configure and to advertise one IPv4 network route to peer and check the
reachability of one IPv4 subnet or IPv6 subnet:
set vr vr-1 protocol bgp ipv4 network <ipv4_addr/mask>
check<ipv4_addr/mask|pv6_add /prefix_length>
To configure and to advertise one IPv6 network route to peer and check the
reachability of one IPv4 subnet or IPv6 subnet:
set vr vr-1 protocol bgp ipv6 network <ipv6_addr/prefix_length >
check<ipv6_addr/prefix_length | ipv4_addr/mask>
The conditional advertisement feature has been enhanced to include the following
new configuration option and parameters to check the subnet of different address
family:
ipv4_addr/mask — The IP address and subnet mask of the network. The subnet mask
value indicates which bits of the address are significant. The mask does not have to
be the same as the subnet mask used in the network. For example, 10.0.0.0/8 is a
Copyright © 2015, Juniper Networks, Inc.20
ScreenOS 6.3.0 Release Notes
valid network to be advertised by BGP. When the check option is used,
ip4_addr1/mask1 can be a MIP address range.
ipv6_addr/prefix_length — The IP address and prefix length of the network. The
address is specified in hexadecimal format, using 16-bit values between colons. The
prefix length is a decimal value that indicates how many of the high-order contiguous
bits of the address comprise the prefix (the network portion of the address).
check— Directs the device to check network reachability before advertising BGP
peers.
Security
Denial of Service Attack Defenses—ScreenOS 6.3.0 supports the feature of strict
TCP-SYN-check wherein a strict syn check is applied to all the packets in a TCP
three-way-handshake before the three-way handshake completes. Users can enable
this feature by using the set flow tcp-syn-check strict command.
Verification of IP address in ASIC Whitelist—Beginning with ScreenOS 6.3.0, users
can verify if a specific IP-address is in the ASIC whitelist by using the get asic ppu
whitelist ip-address command.
Support for SecureID Server Cluster—RSA supports a primary server and up to 10
replica servers to process authentication requests. At least one of primary or slave
servers must be configured with static IP. RSA SecureID Server Cluster supports the
name locking, load balancing, and failover functions.
Virtual Private Network (VPN)
Enhancement to VPN support in VSYS— The system can only support up to 16K static
VPN tunnels in a VSYS. An enhancement was made to enlarge per-VSYS static tunnel
capacity to the system max (25K) by preempting VPN group tunnels via environment
variable "no-vpn-grp=yes".
Automatically Configuring a Local IPv6 Address for an IPv6 IKE Gateway— In
ScreenOS 6.3.0r11, you can automatically configure a local address for IPv6 IKE gateway.
In order to configure an IPv6 IPsec tunnel, you must define the local IPv6 address in
the IKE tunnel configuration. When you are configuring large number of devices, defining
a local IPv6 address can be difficult. This enhancement enables you to automatically
configure a local IPv6 address through DHCPv6 or IPv6 Stateless Address Auto
Configuration (SLAAC) into the IKE tunnel configuration.
To automatically configure a local address for an IPv6 IKE gateway, set the IPv6 address
0::0 as the local address in the following command:
For IKEv1
set ike gateway <name> address <peer-ipv6-addr> aggressive outgoing-interface
<out-if-name>local-address 0::0 preshare <secret> sec-level standard
21Copyright © 2015, Juniper Networks, Inc.
New Features and Enhancements
Changes to Default Behavior
This section lists changes to default behavior in ScreenOS 6.3.0 from earlier ScreenOS
firmware releases.
Changes to Default Behavior Introduced in 6.3.0
BGP Configuration — After you upgrade from ScreenOS 6.1 to ScreenOS 6.3, only the
connected route will be displayed in the routing table. However, the BGP route export
will fail, because the firewall is not configured to the connected routes.
To force the route export:
set vrouter "trust-vr"
set protocol bgp <protocol>
[...]
set ipv4 network <ip address> no-check
[...]
New Image Key — ScreenOS firmware versions are now signed with a new image key.
Before you can upgrade any ScreenOS image, that has a date of August 13, 2014, or
later, you will need to either install the new image key or delete the previous image
key.
NOTE: As on August 13, 2014, the previous versions of ScreenOS firmwares
that were signed with the old image key are removed from the Juniper
Networks software download site and reposted after signing with the new
image key.
For more information, see the JTAC knowledge base numbers TSB16495
and TSB16496 located at https://kb.juniper.net/TSB16495 and
https://kb.juniper.net/TSB16496 respectively.
Copyright © 2015, Juniper Networks, Inc.22
ScreenOS 6.3.0 Release Notes
Changes to Default Behavior Introduced in 6.3.0r17
SNMP Configuration — An “ipaddr has been configured in v1/v2 mode." error was
displayed when an SNMPv3 was being configured after SNMPv2 was configured. An
“ipaddr has been configured in v3 mode." error was displayed when an SNMPv2 was
being configured after SNMPv3 was configured.
Changes to Default Behavior Introduced in 6.3.0r13
NSRP ConfigurationThe backup interface status (ifOperStatus) displays the state
as testing when the physical interface status is UP and as down when the physical
interface status is DOWN in an NSRP passive cluster member.
Changes to Default Behavior Introduced in 6.3.0r11
Public Key Infrastructure— A new command is introduced to support manual certificate
renewal process by using the same distinguished name without modifying the
configuration but by updating the existing certificate in use by removing it.
set pki x509 manual-renew
To work on this feature, perform the following:
Generate a key-pair: If the key-pair with the DN is supported in PKI-store, then add
a pad to PKI-store using CN=NSMANAULRENEW command to generate a new
key-pair. As a result, there are two key-pairs in PKI-store.
Generate a PKI request: If there is a pad CN=NSMANAULRENEW already available
in the DN for the key-pair, then remove the pad to generate PKI request. This is to
ensure that the new certificate will have the same DN as the old certificate.
Load the certificate: The new certificate with the same DN replaces the old certificate.
Recording event log messages in the right VSYS — In a multiple VSYS configuration
on the firewall, an event that occurred in a specific custom VSYS-A was incorrectly
recorded as an event log message in the root VSYS or in a different custom VSYS-B.
This behavior is corrected and fixed. As per the behavior change we now log the event
log messages under the right VSYS specified for and will avoid logging incorrect event
log messages in different VSYS.
Changes to Default Behavior Introduced in 6.3.0r8
IGMP packets compatibility —A command was introduced to permit IGMP packets
with TTL greater than one and to provide compatibility with other interoperability
devices:
set interface <interface name>protocol igmp no-check-ttl
Firewall can block packets with a Routing header—Firewall has the ability to block
packets with a routing header type 0. To avoid blocking all the routing headers, the
firewall supports the routing header type filters using the following command:
set service < name>protocol routing-ext-hdr type<value>
23Copyright © 2015, Juniper Networks, Inc.
Changes to Default Behavior
Changes to Default Behavior Introduced in 6.3.0r7
HMAC SHA-256 RFC 4868 complianceThe previous implementation of HMAC
SHA-256, incorrectly truncated the message digest at 96 bits. It now uses 128 bits, in
accordance with RFC 4868.
Changes to Default Behavior Introduced in 6.3.0r5
IPv6 packet extension headerTo filter or deny the extension header with user-defined
service, define the src-port and dst-port as wildcard 0-65535.
Changes to Default Behavior Introduced in 6.3.0r4
NSRP Configuration—NSRP configuration is out of synchronization due to set tftp
source-interface <interface name> command.
Changes to Default Behavior Introduced in 6.3.0r3
Increase in the capacity of number of service objects and address groups—For ISG
Series, the capacity of number of service objects and address groups is increased to
4096. For NS 5000, only the capacity of number of service objects is increased to
4096.
Maximum timeout value of ipsec-nat algThe maximum value of ipsec-nat alg timeout
has been changed from 180 to 3600 seconds.
VPN tunnel capacity for advanced license key—On SSG550, the VPN tunnel capacity
has been changed from 1000 to 2048 for advanced license key.
Unexpected Low VPN ThroughputWhen VPN monitor is configured for VPNs on
NetScreen-5200 or NetScreen-5400, the device can define sub-optimal ASIC mapping
for processing VPN traffic in the hardware which causes unexpected low VPN
throughput. A new command set flow ipsec-distr-asic is introduced to include the
enhancement that VPN encryption will be distributed into different chips based on the
tunnel's SA index per round robin. By default, it is disabled. This is applicable for
NetScreen-5000 series only. For NetScreen-5000 series with VPN on IPv6 environment,
enabling this command is not recommended as it would yield less than optimal
performance.
Changes to Default Behavior Introduced in 6.3.0r1
The set igmp join-group and unset igmp join-group commands for the interface are
deprecated. If you execute the set/unset igmp join-group commands, the following
warning appears:
WARNING: This command is a deprecated command and cannot be saved to
configuration. Please use the following new preferred syntax:
exec igmp interface if_name join-group group_addr [{ include | exclude| to_include
|to_exclude} sources_ip ]
The CLI command set interface interface nameproxy-arp-entry ip_min ip_max takes
precedence over the existing set arp nat-dst command. This means that when the
Copyright © 2015, Juniper Networks, Inc.24
ScreenOS 6.3.0 Release Notes
proxy ARP entry is defined and matched, then the system does not respond to the ARP
request via the physical interface.
Because the set interface interface nameproxy-arp-entry ip_min ip_max command allows
the customer to have better control of the device, the command set arp nat-dst is not
recommended.
The SNMP changes might affect the management software as follows:
Logical interfaces are added to the interface table.
Several new SNMP traps are introduced in the ScreenOS 6.3.0. For details on the
new SNMP traps, see the change history of published ScreenOS 6.3.0 MIB
NS-TRAPS.mib.
You can consider modifications as required.
Network and Security Manager (NSM) Compatibility
This section provides information about updates required to complementary Juniper
Networks products to ensure their compatibility with ScreenOS 6.3.0.
Support for ScreenOS 6.3.0 has been introduced with NSM 2009.1r1. Navigate to the
Support webpage for more information: http://www.juniper.net/support.
Detector and Attack Objects Update (only for ISG-IDP)
The Detector Engine shipped with this ScreenOS version is 3.5.140842. For more
information on the availability of new releases, see the Detector Engine Release Notes
at http://www.juniper.net/techpubs/software/management/idp/de/.
After you have performed the ScreenOS firmware upgrade, you must update to the latest
IDP Detector Engine and Attack Object database:
1. Download the latest detector and attack database to the NSM GUI server. From NSM,
select Tools > View/Update NSM attack database, and complete the wizard steps.
2. Push the detector update to the ISG-IDP devices. From NSM, select Devices > IDP
Detector Engine > Load IDP Detector Engine, and complete the wizard steps.
3. Push a policy update to the ISG-IDP devices. From NSM, select Devices > Configuration
> Update Device Config, and complete the wizard steps.
Addressed Issues
The following operational issues from ScreenOS 6.2, 6.1, 6.0, and 5.4 release branches
were resolved in this release:
25Copyright © 2015, Juniper Networks, Inc.
Network and Security Manager (NSM) Compatibility
Addressed Issues in ScreenOS 6.3.0r19
Admin
952483 - The firewall did not allow the configuration of schedule and notify-conn-close
parameters within the same policy.
Antivirus
955656 - An antispam feature blocked e-mails from a few domains because the SMTP
parser transformed the dot (.) in the domain address to the IP address 0.0.0.0, which
was considered an invalid parameter.
DNS
970550 - An exception dump occurred because of the improper DNS handling of an
address book entry.
1036414 - The performance of DNS requests decreased after upgrading from ScreenOS
6.2 to ScreenOS 6.3.
WebUI
946406 - An exception dump occurred when a policy was either added or edited
through WebUI, because of a comma included in the address book.
981226 - WebUI exceeded the permissible limit of the UDP flood threshold
configurations.
Others
959898 - An exception dump occurred when the DI database was updated.
962983 - An exception dump occurred because of the invalid pointers on packets that
traveled through a tunnel.
986860 - An exception dump occurred because of memory loss in the SNMP module.
1003865 - Memory was overwritten in the IDP Security Module because of a race
condition.
1004818 - SNMPv3 failed to function when a string entry in the local-engine id field
was longer than 27 characters.
1005074 - The MSRPC connection failed when no new cookies were left for allocation
to establish a new MSRPC connection.
1011948 - Unable to specify MGT zone for SNMPv3 src interface.
1012257 - An exception dump occurred when memory availability was zero as a result
of memory leakage.
1014009 - A temperature alarm failed to be triggered when the threshold temperature
was set lower than the system temperature.
Copyright © 2015, Juniper Networks, Inc.26
ScreenOS 6.3.0 Release Notes
1016586 - An exception dump occurred when a VSYS was deleted.
1031677 - An exception dump occurred because of the corrupted link list in the SCTP
ALG module.
Routing
950554 - Routes flapped intermittently when OSPF transitioned from type 7 to type
5 LSA.
994030 - The firewall created duplicate OSPF route entries in the routing table with
the next hop as 0.0.0.0.
Security
959847 - The firewall displayed the "packet too big" error for IPv6 packets when the
interface MTU was set to 1500.
968746 - The firewall blocked traffic from a chassis with a 16-port Ethernet card when
one of the ports was enabled.
1004221 - The backup firewall with dual stack IPv4/v6 experienced packet loss when
IPv6 was enabled.
1008315 - Global tcp-mss did not function as expected when the firewall started a
syn-proxy defense.
1017672 - The firewall failed to reverse-translate the port number in the SIP payload
when DIP/interface NAT was used.
1023661 - The firewall dropped fragmented packets in the ASIC.
1033963 - SSLv3 was manually disabled because of a vulnerability in the protocol to
POODLE attacks.
1039268 - The firewall displayed the "Address: Duplicate entry" error for an unknown
reason when an address was configured.
VPN
977062 - The "shared to fair" and "fair to shared" transitions for CPU limit were forcibly
written in logs in the root VSYS.
1007969 - The maximum number of supported proposals for IKE negotiation increased
from 10 to 15.
27Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
Addressed Issues from ScreenOS 6.3.0r18
Admin
979649 - Administrative SSH sessions remained on the device even after the session
timed out.
Antivirus
960784 - When AV was enabled, some YouTube videos could not be played.
WebUI
912330 - When the user attempted to view the interface bandwidth table, the WebUI
displayed a blank page with a small square box in the upper left corner.
927619 - In the WebUI, configuration information about the SNMP host could not be
located.
971932 - The DSCP value could not be updated when the corresponding policy was
created via WebUI.
975830 - When the user attempted to modify an interface that had been configured
with the WebUI, the CLI displayed the following syslog message:
Interface ethernet3/15.1 being used as syslog src-interface. Please unset it first.
Others
733966 - An exception dump occurred when the SCCP ALG was processing SCCP
traffic.
812829 - SSG Series devices rebooted and created a core file when an attack database
was manually updated.
847275 - [ISG/NS5000] An exception dump occurred in ASIC platforms because of
a double session free condition, which caused a session list corruption.
933472 - SIP 200 OK packets were dropped when the SIP ALG tried to multicast SDP
packets.
956617 - An exception dump occurred when the device was reading the physical
registers of the interface.
954715 - A few SNMP traps in the NS-TRAPS.mib file were missing.
968621 - A few TCP packets were dropped in a GRE tunnel when the packet IP length
was odd.
975993 - SNMP was only able to query the primary power supply in an SSG500.
978458 - Even when no debugs were enabled, the get db st command displayed the
following error message:
Inherit policy from parent in backward case.
Copyright © 2015, Juniper Networks, Inc.28
ScreenOS 6.3.0 Release Notes
978819 - An SNMP walk operation failed to display BGP peers in a custom virtual
router.
979058 - An exception dump occurred because data traffic arrived on a PIM when a
neighbor was being deleted.
980787 - The alarm LED did not change to red when the device reached the
low-memory threshold.
985306 - An exception dump occurred while a policy was being changed in NSM,
because of an incorrect dump operation that was performed during a session rematch.
994095 - While performing NAT with session cache enabled, DIP ports were not
released even when no DIP sessions were available.
1004065 - When the content length field was greater than 65,535 in an RTSP payload,
the RTSP ALG modified the field value incorrectly.
1006677 - An exception dump occurred during IKE negotiation when IKE proposals
used either group 19 or group 20.
Routing
960773 - The BGP neighboring node flapped when the path attribute length was not
set in the BGP route update.
Security
937739 - [SSG140] The traffic initiated from the firewall failed to pass to another
device because of a "wait for arp rsp" string in the debug flow.
939364 - An exception dump occurred because a local-packet-double-free issue was
caused by heavy traffic.
938185 - The enforcer failed to automatically reconnect to the Infranet Controller
when the active/backup cluster failed twice.
988559 - The firewall retransmitted packet-capture files and closed sessions with
the reason given as “other”.
999772 - ScreenOS was potentially vulnerable to a CVE-2014-0076 ECDSA nonce
disclosure using a side-channel attack.
VPN
958251 - The IKEv2 VPN traffic failed after a rekey, when NAT-T was involved.
Addressed Issues from ScreenOS 6.3.0r17
CLI
954276 - IPv6 self logs were not generated for the unicast IPv6 traffic with the set
firewall log-self exclude multicast command enabled.
955531 - The get route ip command displayed an incorrect virtual router when Inter-VR
routing was configured.
29Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
Others
686132 - VIP destinations were identified as being down because of the short socket
queue length.
835847 - An exception dump occurred while processing the IPsec ACVPN traffic.
847112 - An exception dump occurred because of the corrupted build_task_socket_list
that was triggered by an incorrect behavior of IPv6 socket check.
890657 - The MGT zone option was unavailable for the SNMPv3 scr-interface.
915944 - IKE heartbeats in combination with IKEv2 were not supported, because, while
ScreenOS used IKEv2 for IPsec VPN in combination with an IKE heartbeat, the CHILD_SA
renegotiated every IKE heartbeat threshold.
916471 - Traffic that required any ALG RM resources was dropped because the RM
resources with inactive sessions were also allocated to the SQL ALG.
920454 - SCCP did not function correctly when it was configured with a MIP.
929794 - The SCP transfer to back up a configuration file from a device to the server
was terminated occasionally because the device began sending the TCP FIN packet
even before the host received the complete file.
930754 - An exception dump occurred when a session was created by HA and no
interface was found.
931973 - [ISG-IDP] IDP core dump occurred during a policy push because of a race
condition with AI.
933084 - An exception dump occurred while accessing an invalid packet header
argument other than 5-tuple fields.
935973 - The SCTP ALG incorrectly dropped SCTP packets in chunk bundle cases
when chunk lengths of COOKIE_ECHO and INIT_ACK were different.
937391 - An exception dump occurred because of a NULL pointer in nsp_tunnel when
a policy was deleted.
947948 - An exception dump occurred because a session was reused before the
fragment was freed in fcb.
965947 - After upgrading from ScreenOS 6.3.0r12 to ScreenOS 6.3r13 or later versions,
high CPU usage occurred because of the SNMP functionality.
Security
942614 - A problem with parsing pair policies for policy-based VPNs resulted in high
CPU usage causing the firewall to reboot.
929892 - Few TCP sessions processed by antivirus remained in the close_wait state
after processing an ACK, which led to the antivirus session becoming full.
982141 - An exception dump occurred in multiple firewall clusters that were managed
via SSL, because of a malformed heartbeat packet.
Copyright © 2015, Juniper Networks, Inc.30
ScreenOS 6.3.0 Release Notes
Routing
939242 - An Invalid route remained in the route cache after an active route was
recovered.
968466 - Track IP objects with a default timeout interval of 1 timed out even before
the reply was received.
VPN
930506 - The VPN under IKEv2 through dialup (serial 0/0 in a V.92 interface) did not
come up after it went down (did not renegotiate).
WebUI
911395 - In the WebUI, the scr-interface option was unavailable for SNMPv3.
915316 - Unable to delete policies from the WebUI because the browser displayed
error 404, Page Not Found.
928960 - The VIP policy was removed automatically from the WebUI after modifying
the VIP address because the change in VIP corrupted the address tree.
953826 - In ScreenOS 6.2.0r18 and ScreenOS 6.3.0r16, the WebUI displayed an error,
Cannot display the configuration under Configuration >Update >Config.
956274 - Unable to delete the track IP function from the WebUI because the browser
displayed error 404, Page Not Found.
956282 - Unable to delete the external group from the WebUI because the browser
displayed error 404, Page Not Found.
956288 - Unable to delete a VSD group from the WebUI because the browser displayed
error 404, Page Not Found.
956291 - Unable to delete the NSRP track IP function from the WebUI because the
browser displayed error 404, Page Not Found.
956312 - Unable to delete address lists from the WebUI because the browser displayed
error 404, Page Not Found.
956314 - Unable to delete the SUN-RPC service from the WebUI because the browser
displayed error 404, Page Not Found.
956317 - Unable to delete address groups from the WebUI because the browser
displayed error 404, Page Not Found.
956320 - Unable to delete the MS-RPC service from the WebUI because the browser
displayed error 404, Page Not Found.
31Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
Addressed Issues from ScreenOS 6.3.0r16
Others
769049 - An exception dump occurred when antispam and antivirus processes used
too much system memory.
819171 - A brute force attack was triggered n+1 times its configured value.
888573 - [SSG5/SSG20] V.92 serial interface failed to reconnect when the call was
terminated improperly.
892843 - The default router would be automatically deleted from the IPv6 routing
table because the IPv6 routing table was not refreshed when the RA was received.
897651 - IKE congestion displayed an error while calculating ike_nego_activity_count,
because of an incorrect behavior that was set when the commit-bit was enabled.
898323 - The device printed data buffer information logs on the console when it
received a UDP packet larger than 4000 bytes.
901137 - If IPv6 was enabled, the RADIUS auth IPv4 server address could fail because
of the server’s inability to create a RADIUS socket.
901422 - VSD Group 0 was created when the VSD group configuration exceeded the
valid ID threshold.
907339 - The MIP settings on the dialer interface did not appear in the system output
for the get config commands on the console. Although these settings did appear in the
WebUI output and in the get interface dialer mip command console output, after the
firewall was rebooted these MIP settings disappeared.
908829 - The MSRPC traffic failed because the ALG did not parse some authentication
fields.
918217 - While renewing its SCEP certificate, the primary device failed to update and
remained in the pending state.
919797 - The device under test (DUT) crashed when it was rebooted because it
attempted to re-enter an unprotected resource.
929757 - Event log messages regarding the mode change were not displayed in the
Root VSYS when the cpu-limit/vsys-profile feature triggered a shared-to-fair mode
transition due to a high CPU incident.
Security
861671 - The firewall rebooted automatically when changes were made to the policy
through the WebUI.
879680 - The firewall crashed when it attempted to assign memory because of a bug
in the web task logic.
882566 - The firewall failed when the Multicast PIM module referred to a null pointer.
884567 - The firewall dropped UDP packets because the PPUs froze when the firewall
attempted to process fragmented traffic.
Copyright © 2015, Juniper Networks, Inc.32
ScreenOS 6.3.0 Release Notes
892915 - The user had to restart syslog by using apply & reset connections from WebUI
because SSG140 with syslog enabled over TCP, periodically failed to send syslog
messages.
893808 - The firewall accepted the subnet ID as the IP address of the interface.
WebUI
776323 - TACACS+ in transparent mode could not be configured through the WebUI.
877558 - The WebUI did not display complete data for the default option All Routers
in the Policy List drop-down when the user navigated through Network >Routing >
PBR >Policy.
904619 - In the WebUI, the VLAN zone could not be blocked when the user navigated
through Network >Zones >Edit.
Addressed Issues from ScreenOS 6.3.0r15
CLI
664162 - Track IP configured through the CLI did not always reflect the correct
configuration when displayed in the WebUI.
688061 - While saving a configuration using the get config >tftp command, g-arp was
automatically added to the config file.
789133 - In the CLI configuration, the trap versions were displayed only when SNMP
was configured with networks that used the /32 subnets.
Others
841084 - The firewall in NSRP failed when a subinterface was removed.
694835 - The device experienced an exception dump when running multicast traffic
with PIM, because of a null pointer.
734260 - IPv6 packets were dropped incorrectly because of sequence number checking.
743657 - A large number of configured PBR policies took a long time to be built, which
resulted in a watchdog timeout. This caused the device to perform a core dump.
746210 - NSM does not allow you to set a VSI interface with a value greater than 7.
770815 - Under certain conditions, the device rebooted unexpectedly during an SSH
connection to the Infranet Controller.
807561 - Irrespective of the status of the link, an SNMP walk performed to check
ipv6IfOperStatus on backup devices returned the interface status as UP.
812703 - Traffic forwarding through GRE over a route-based IPsec tunnel failed when
traffic shaping was enabled.
819292 - ISDN failed, because the protocol packet response was very slow.
836499 - Adding an incorrect subnet mask IP address to a multi-cell policy resulted
in deletion of other addresses in the multi-cell policy.
33Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
840476 - Some Real Time Objects (RTOs) were not synchronized between primary
and backup devices while performing a major ScreenOS upgrade.
850527 - Occasionally, a new NSRP master was not connected to the Infranet
Controller after an NSRP failover. The Get infranet controller command displayed the
status as Closed.
853577 - The device performed a core dump and rebooted because of a MIP on the
loopback interface.
857406 - The MSRPC traffic failed because the port values were not compared while
an rpc_map_search was performed.
859608 - The SNMP traps were not triggered when the source IP-based session limit
was reached.
862597 - While setting the source address and the destination address as negate in
the intra-zone policy, the intrazone policy did not match with the configured policy,
and it defaulted to a global policy.
865894 - Unable to delete L2TP users, even though the L2TP tunnels were inactive,
because of an incorrect count of active L2TP users.
867748 - Unable to manage secondary firewall through the backup manage-ip
interface.
869155 - When the mgt.1 interface was created, it was accidentally added to a VSD
group. This caused a change in the MAC address of the mgt interface.
869675 - The device encountered an exception error when the WSF module took too
long to process a large, corrupted packet.
869698 - Issuing the save config to tftp a.b.c.d filename.txt command, enabled flow
vector profiling.
872130 - Return packets dropped while they were being forwarded from one node to
another.
872593 - Traffic logs were not generated for TCP port 1503.
874372 - The device experienced an exception dump when an SSH process referenced
a null pointer.
875123 - Some applications, like FTP, failed because of an incorrect TCP ACK sequence
number when in an NAT environment.
876229 - A read error in a real-time clock (RTC) chip caused the device to reboot.
878809 - A multicast session got stuck because of a time sync.
879511 - The device experienced an exception dump when a user with read or write
privileges had their access changed to root privileges.
880797 - FTP-Get service was unable to restrict FTP upload through the APPEND
command.
Copyright © 2015, Juniper Networks, Inc.34
ScreenOS 6.3.0 Release Notes
884643 - When the ICMP-ANY service was set to never time out, ICMP sessions were
not closed even after the ICMP-Reply was received.
896357 - An exception dump occurred because of a memory corruption in the SIP Via
list.
Security
722000 - [ISG] IDP Security Modules in an NSRP cluster were not shown in the WebUI.
VPN
750452 - A policy-based VPN session lost its tunnel information because of a route
change. As a result, the packet was forwarded incorrectly to an interface (instead of
to a tunnel).
804902 - VPN packets with sequence numbers greater than 0xffffff00 created frq1
duplication, resulting in a MAC flood.
843507 - EAP authentication information was not cleared when clearing IKEv2 SA,
causing an exception dump.
845065 - A VPN could get reset when using SHA-2 because of a mismatch between
software and hardware sequence numbers.
863127 - OSPFv3 got stuck in the EX_START state in a route-based VPN tunnel that
was using unnumbered tunnel interfaces.
WebUI
678784 - The WebUI stopped responding while dialer interfaces were being configured.
704897 - When a static mroute was configured from the WebUI, the OIF was not
displayed if one of the interfaces was in a custom VR and the other was in a default
VR.
812494 - SurfControl integrated Web filtering was configurable even for unlicensed
versions through the WebUI.
849169 - The device experienced an exception dump when it tried a lookup for group
addresses through the WebUI, where the group address zone ID referenced a null
pointer.
35Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
Addressed Issues from ScreenOS 6.3.0r14
Admin
803487 - ScreenOS failed when the auth table was large and the exec infranet controller
check-sessions command took longer than 30 seconds.
ALG
818193 - Occasionally, the SIP call timer timed out SIP messages earlier than expected.
832693 - When a client initiated a session with the NFS server, the dummy port (created
previously when the NFS server was used as an NFS client) does not allow the NFS
control session to be processed by the SUNRPC ALG. This resulted in the blockage of
the subsequent data sessions.
834945 - Harmless RPC traces were printed on the console.
840673 - The SIP call dropped after 45 minutes because the session expire header
was not updated when the re-invite was sent.
Antivirus (AV)
842538 - AV scan performance was slow when trying to relay an HTTP 302 message
if the connection mode is not a keep-alive.
Others
817379 - The SSG Series devices failed to handle the NSM packets that contained an
0xffff TCP checksum.
822847 - The system experienced a memory leak when the pass-through traffic
required authentication.
831747 - Device encountered an exception error when pinging a multicast group address
due to a NULL pointer being incorrectly referenced.
833083 - The southern hemisphere DST setting, which begins in October and ends in
April, automatically got disabled at the end of October. This resulted in the incorrect
time being displayed.
835602 - The PKI information synchronized with the backup information even though
the rto-mirror for PKI was disabled.
839155 - Packets were matched incorrectly by debug flow filter when either src/dst
ip or src/dst port were the same.
842055 - NSRP flaps and packet drops were encountered due to a dead lock between
SLU engine and PPU, this further resulted in ASIC to reinit.
853718 - A packet drop occurred as a result of an incorrect TCP sequence calculation.
Copyright © 2015, Juniper Networks, Inc.36
ScreenOS 6.3.0 Release Notes
Routing
828964 - The learned OSPF routes were lost when the remote peer router-id was
changed; and the peer box failed to obtain the correct network LSA.
Security
818620 - The command unset ike gateway <gateway> xauth accounting server <server>
cannot be synchronized, especially after one of the devices were rebooted.
828168 - The NSRP backup firewall failed and then rebooted repeatedly.
VPN
800584 - The firewall failed to verify ECDSA signature.
823285 - The policy based VPN tore down after NSRP failover, with remote peer
reporting antireplay errors.
830423 - After enabling IPv6, the IPsec VPN traffic was dropped.
WebUI
833871 - Updating DI from WebUI on backup did not get synchronized to the primary
device.
833873 - The modified OSPF neighbor list value was not updated properly.
842738 - The DNS server could not be modified when the device was in transparent
mode.
701694 - The root administrator lost read/write privileges while modifying the
administrator password.
37Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
Addressed Issues from ScreenOS 6.3.0r13
ALG
796066The SIP data session no longer uses in the same route as the control session.
The data session now uses the route specified in the routing table.
Antivirus (AV)
803148Websites occasionally fail to open when the AV is enabled and the syn-ack
packet has window size of 0.
Logging
804620—Redirection of logs to an external website might stop, and, although more
than 10 percent of free space is available, the following message appears: There is less
than 10% space available in current active file.
Other
585488The firewall core was dumped and rebooted when the tftp get tech > tftp
command was used.
587570The multicast outgoing interface (OIF) was calculated incorrectly.
681596—Firewall or pass through traffic intermitted when high-end platforms reported
increase in CPU5 drop counters.
730059The firewall rebooted unexpectedly when net-pak contains the wrong flag.
730138The console output displayed a slot_num(1) or chip_num(2) error.
742169The firewall rebooted spontaneously because of a duplicate session issue.
745496The server had a large TCP window, causing the Notify-conn-close to fail.
751579— VLAN traffic on ASIC-based platforms in Layer-2 Transparent Mode was
dropped when the VSYS bound to the VLAN group was deleted and the same VLAN
group was referenced in another VSYS.
754606—SYN flood protection was triggered even though the attack threshold was
not reached.
771666When IPv6 and BGP were both enabled, it caused the firewall to core dump.
771827The device rebooted with a crash dump in the IKMPD task due to a memory
leak.
771959The Infranet controller connection was disconnected on the firewall as a
result of missing Keep Alive messages in a scenario with a large number of policy
configurations on the firewall.
775604—In an NSRP cluster, dhcp server auto did not work.
775844—On SSG 520M and SSG 550M devices, the fan status occasionally appeared
as down.
Copyright © 2015, Juniper Networks, Inc.38
ScreenOS 6.3.0 Release Notes
777402—PPTP occasionally failed because of a route lookup failure in the cross-VR
design of the child GRE session.
788853The firewall performed a core dump and rebooted because of a wrong
parameter logic being used while generating logs.
789358—On PIM interfaces, setting the set int <phy link-down> command did not keep
the interface down even after a reboot.
796098When mirroring was configured on NS 2000 or ISG Series devices (including
IDP-enabled devices), a TCP three-way handshake failed on the device during SYN
proxy processing.
811257The NSRP backup device did not undergo a "never" timeout synchronization
at session creation.
814516The SSG Series device did not start the PPPoE connection after NSRP failover.
Routing
768724—In some instances, BGP routes failed to be advertised because of a broken
SPF list.
783986When compatibility with RFC-1583 was set for OSPF and a network change
occurred the device had to run several calculations for SPF.
Screen
790842The firewall performed a core dump and rebooted when the set zone trust
screen ip-spoofing include-default-route command was executed.
SNMP
782678The device might send multiple traps for a single event, causing duplicate
entries.
785140—SNMP traps are not generated for a few Screen options.
807264—In ScreenOS 6.3, when the SNMP listen port was configured, the change did
not get updated and the default port value of 161 was retained.
VPN
780465The Ctrl+C option did not interrupt the output of the CLI through get
commands.
783720After NSRP failover, the remote IPSec gateway might drop AH packets
because of anti-replay protection.
WebUI
781483—In the WeUI, several NHTB event-log pages are blank. Event logs do not
display the correct number of entries per page.
39Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
793235—In the WebUI, the Network > Interface Edit > OSPF page neighbor list from
the Neighbor List drop down and then click drop-down menu and click Apply. However,
the neighbor list drop-down menu setting is not updated after the Apply function, and
the list does not appear on the device, which continues to display "None."
Addressed Issues from ScreenOS 6.3.0r12
ALG
678300—Failed to translate IP on SET-PARAMETER within RTSP by ALG causes the
video streaming to stop intermittently.
736470—H.323 ALG was unable to handle cross vsys H.323 traffic.
752103—RTSP SET_PARAMETER is not address translated.
771008—Communication failed when H232 ALG may change h245 address in the
payload.
778810—Policy change caused h323 alg hit a null pointer and device failed.
Authentication
778720—Firewall stopped authenticating against RADIUS server.
Antivirus (AV)
753601—Sometimes websites failed to open with AV enabled, if the server does not
send the FIN ,after sending HTTP body.
Logging
740584When a sub-interface is created and cancelled an event message "MTU for
interface has been changed to 1500." is displayed.
Management
726174—Firewall might add additional padding to a reply packet.
737433The ifIndex value is not the same in standard MIB and NetScreen enterprise
MIB while executing SNMP query for interfaces.
NSRP
705438—In asymmetric routing condition, if a session is not prepared and synchronized
correctly might result in unexpected packet drop.
Other
523647The "set envar" command used to address the ESP sequence number is not
retained permanently after the process of Asic re-init and reboot of the firewall.
590160—Device might crash when route id is a larger number and the NSRP route
sync is enabled.
Copyright © 2015, Juniper Networks, Inc.40
ScreenOS 6.3.0 Release Notes
689721The Random Number Generation for SPI does not work.
710595When the "Pending Drop Notify" counter fills up the Infranet Controller process
on the firewall and does not release regularly, results in Drop queue full message and
no Drop notify messages to be forwarded to Infranet Controller.
719600—Device hanged due to ASIC when IDP tried to process IPv6 ESP traffic resulting
in split bran situation.
721101—Device might reboot unexpectedly when the firewall received invalid HA
messages.
725966—Firewall experiences core dump after HA fail over due to IKE-v2 parameter
sync problem between the primary and the backup devices.
726468The PKI process might send an incorrectly formatted message to the SSH
process, resulting in a core dump.
727126—Firewall spontaneously reboots when FTP server tries to initiate data
connection before client sends "RETR" command.
728097—On interface configuration, firewall is accepting network number (1.1.1.0/24)
as an IP address.
728480Asymmetric traffic failed when IPv6 was enabled.
731534—Firewall was spontaneously rebooting due to memory overwrite.
731582—Debug flow drop, shows the packet information for the dropped packets.
732793—Device might crash when you modify an existing policy.
735268—Sometimes device may reboot with core dump due to a logical error in the
code.
736122—In IKEv2 VPN, device may reboot with crash dump on receiving illegal or
malformed IKEv2 packet.
739175—Illegal memory access causes spontaneous reboot of the firewall.
740513When SIP ALG fragments the packet, the first fragment is of small-sized
which may not include the mandatory SIP headers.
743309—Multicast traffic can cause firewall to coredump.
743842—Brute-force attack pop3 detection failed under certain conditions.
744684—Sometimes, after OS upgrade, the firewall starts rebooting continuously in
loop condition, due to a memory overwrite issue. This is because of smaller buffer size
of fat table in flash.
744785When you send traffic to an IP address that is part of the loopback interface
subnet, there is an infinite loop and this might cause high CPU.
745791—In layer2 mode, if a switching loop sending a packet originating from the
firewall back to itself on a different interface, then the interface adds the vlan-1 Mac
address to the interface Mac table. An additional check is added to prevent the firewall
from adding its own VLAN.
41Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
746646—[ns5000 and ISG] ARP entries in Hardware and Software may mismatch
due to inconsistent ARP update mechanism.
750929—Device might crash when you delete the interface used by NTP module.
752246SCTP natted traffic might stop working when you set the envar x-in-ip.
756682—Internet Explorer 9 pop-up credentials does not appear with SSG firewall
Authentication.
768558Sometimes cross ASIC traffic gets dropped due to incorrect logical check in
the code.
769297—System failure occurred during malloc memory leak failure.
769737When the card is plugged in on slot 5 the information of the card cannot be
seen in datafile.
771104—ICMP unreachable traffic does not undergo NAT operation in transparent
mode.
773293—Harmless unnecessary debug message has been removed from the console
output.
777142When performing snoop offset filter on VPN tunnel traffic firewall may crash.
777170After IPV6 was enabled there was high CPU on backup of NSRP firewall.
778730—SIP ALG caused a system failure during a list erase function.
779261—HA resync caused device with large configuration in NSRP failure.
781343—In a VSD-less cluster, the device will now check to make sure the ingress and
egress interfaces match the session. If they do not match, then the device clears the
existing session and creates a new session with the correct interfaces.
781815The new policy installation process was modified to be more compatible with
NSM.
797994When the firewall is configured for ALG with loopback interface the firewall
may core dump and reboot.
Routing
730018—BGP IPv6 prefix was not advertised after reboot.
733528—In IGMP proxy, when an admin clears multicast-route (mroute) by executing
the CLI clear vr vr-name mroute command, it cannot rebuild the mroute even after the
new igmp v3 report packet arrives.
734361—BGP neighbor parameter rejection command is deleted after BGP instance
flap or upon reconnect.
SNMP
737747While using standard MIB2, indexes or mapping between Indexes of the OID
'ipAdEntIfIndex' and the OID 'ifDescr.x' are incorrect and as a result SNMP poll sends
an incorrect result.
Copyright © 2015, Juniper Networks, Inc.42
ScreenOS 6.3.0 Release Notes
738116—SNMP Authentication Failure Trap is generated when a GET-REQUEST with
different SNMP version is received.
VPN
705374—IKEv2 failed in rekey after failover to backup.
731964— L2TP IKEv2 VPN might not come up if multiple IKEv1 & IKEv2 VPNs are
configured.
749931—Phase 2 rekey failed on IPSec with NAT-Traversal.
770471—In WebUI, removing the configuration related to proxy-id was not possible.
780247—Proxy ID mismatch between SA and policy was due to an endian issue.
WebUI
751661—In PPPoA Interfaces WebUI the connect and disconnect buttons did not work.
777559—In WebUI, event log was not showing the correct number of lines.
773466—In WebUI, special characters in the route map name were discarded when
using the "Add Seq No" link. This resulted in the creation of a new route map rather
than a new sequence number on the existing route map.
Addressed Issues from ScreenOS 6.3.0r11
ALG
710227—SIP ALG was modified to ensure that all SIP data fragments have their call
data modified according to any NAT parameters.
Antivirus (AV)
690029when AV was enabled downloading a large file (if the content-length of
HTTP request was too large) failed with ASP error.
IDP
695082—IDP module on the ISG platform used to hang when executing the command
"get sm status".
Management
671719—NSM was unable to update policy to device because sme_bulkcli was stuck.
687217—Firewall failed when you run fprofile.
696588—If SCP file transfer was used regularly then there was a high memory on
firewall.
703695—Unable to add MIP configuration to a multi-cell policy through WebUI.
43Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
NAT
611751—MIP for GRE over IPsec did not work, if the MIP was not in the same IP subnet
as the tunnel interface.
700690Sometimes the Extended IP x.x.x.x or its range collides with IP y.y.y.y or its
range when configuring an ext DIP on unnumbered tunnel interface.
NSRP
703949The expired tunnel sessions were not removed properly in a backup device.
Other
551755—"IPv6 neighbor gateway [IP6] is reachable" was logged incorrectly when it
is unreachable.
582089—Pass through IPv6 IPSEC sessions are interrupted due to incorrect session
timeouts set on ALG created child sessions.
592160—After HA failover, the tunnel route pointing to the VPN stayed inactive for a
long time by causing traffic loss on the new master.
599686—FTP ALG did not work correctly when receiving unexpected ack from server,
after the EPASV request from client.
661016—when ACVPN was configured the device experienced a memory leak.
662330Asic classifier bug caused IGMP Query messages to trigger Source Route IP
alert on ISG's.
662930Traffic through the IPSEC tunnel destined to one of the interfaces sometimes
failed, because of reply packets getting sourced from tunnel interface IP.
675550When upgrading through tftp, the device might reboot with core dump.
686087—Unable to bind an unnumbered tunnel interface within a VSYS if the VSYS
name contains parenthesis.
686165—If the IP of egress interface changed then existing sessions might not get
updated with the new IP.
688228When layer 2 broadcast packet was received, it was incorrectly interpreted
as Winnuke attack.
690786—Unable to change the maximum number of sessions with envar command
on ISG2000 box with advanced license and less than 2GB memory.
691510ASIC stopped forwarding traffic due to an issue with PPU-F.
692085—Firewall was rebooted and core dumped due to multicast packets accessing
the null pointer for a PIM neighbor.
692124—NHRP feature resulted in a memory leak condition.
692497When "set envar x-in-ip=yes" on ISG1000, get error "x-in-ip not supported".
Copyright © 2015, Juniper Networks, Inc.44
ScreenOS 6.3.0 Release Notes
694306—FW experienced high task CPU momentarily at polling times due to snmp
task on 6.3. code.
699131—ISDN primary number and alternative number length fields changed from 15
to 16.
699200—Due to URL filter and DNS the firewall caused core dump and rebooted the
system.
700331—Firewall was rebooted and core dumped after adding VSD-Group.
700352—DNS server cache snooping remote information disclosure is detected.
700481With SNMP and more than 8 VSD groups configured, the device might cause
core dump and rebooted during SNMP polling.
701519—Pass through VPN traffic breaks source session limit set on zone screening.
701968—Session are not updated with the new VPN with better route and packet
dropped.
703689When DST was enabled and the system was rebooted, the SNMPv3 engine
time was set to a higher value than the specified value in the RFC.
708406—Firewall rebooted and core dumped due to accessing the invalid memory
area.
709646—Under a certain condition, Serial interface accepted traffic whereas Ethernet
interface did not accept traffic.
718372When a session was taken out of hardware and if the firewall received a FIN
then the firewall did not close the session.
721988There was a memory Leak in Anti-SPAM feature of UTM.
722208—SSG device stopped passing traffic in all directions due to an error in read
logic on the interfaces.
723404—During external vulnerability scan, a spontaneous reboot due to a null pointer
occurred.
724145—During device reset, the custom NSM management port resets from 7900 to
a default port of 7800.
727177—Pass through IPsec sessions are not removed in NSRP VSD-less cluster.
Routing
686224—BGP neighbor flapped at irregular intervals.
718144—During route failover some sessions are not getting cleared.
728946—BGP router cannot be established between two loopback interfaces belonging
to different Virtual routers on the same device.
45Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
VoIP
705648—SIP ALG was unable to parse the multipart or mixed MIME type in SIP INVITE
packet, when it had values within quotes, but spaces in between words.
VPN
592488—Connection to VPN failed when the external IP changes on the NAT device
that resides in-between VPN end points.
703677—In redundant VPN configuration, OSPF did not come up during VPN failback
from secondary to primary.
WebUI
676776WebUI was unable to display vrouter name, if the length was more than 15
characters.
687935—In WebUI, the policy search feature was unable to display the selected service
if it belonged to multi-cell service.
688016WebUI was unable to display NHTB table entries if the list of NHTB entries
was more than 582.
717325—Monitor Zone and Monitor Interface configuration was not available in WebUI.
Addressed Issues from ScreenOS 6.3.0r10
ALG
604887With SIP ALG enabled, the device might sometimes send TCP packets with
window size zero which might stall the SIP session.
679138—RM resources are released incorrectly that subsequently causes RTSP traffic
to drop.
IDP
697323—Sometimes the security module stops forwarding the traffic due to a memory
leak in IDP engine.
Management
578449—Firewall was unable to connect to NSM using the first connect.
665355—NSM supports "unset nsrp config sync vpn-non-vsi" command.
674637The firewall crashes sometimes when a long URL was described in custom
category of sc-cpa.
675913—SNMPwalk was not including logical interfaces in the output list for IFDESCR
and IFNAME OIDs.
Copyright © 2015, Juniper Networks, Inc.46
ScreenOS 6.3.0 Release Notes
NSRP
568133—IPv6 RA messages are processed on VSD 0 interfaces and are not processed
on VSI interfaces which are part of VSD 1 and VSD 2.
574244—Even after no preempt option was enabled, sometimes the device rebooted
as master.
666641—Data link was unavailable when there is only one link in HA zone connected
to 16 port uPIM.
672901—After failback due to preempt, the new master (with preempt) sometimes
lost connection to IC4500 (Infranet Controller).
Other
578204—Firewall forwarded duplicate log information to NSM due to an error in the
session byte count.
599808Ability to log UDP floods on ASIC based systems was added.
600543With NSM enabled, the device management was very slow and the device
was resetting frequently.
601364—Interface physical link was brought up after reboot even after it was down.
610108—IPv6 Auto-Discovered route was inactive when IPv6 over PPPoE is connected.
660288—In non-HA mode, IPv6 multicast packet was dropped by the interface when
ipv6 config is disabled. Do not consider VSI.
660950—In NSRP Active or Active environment, PPTP might get disconnected
unexpectedly.
662392—Duplicate MAC addresses are returned in reports for the mac-tables of SSG
bgroup interfaces.
662589—Firewall experienced core dump and rebooted the system when accessing
the Dlog process.
662930Traffic through the IPSEC tunnel destined to one of the interfaces sometimes
fails, because of reply packets getting sourced from tunnel interface IP.
664485—Policy might not compile exactly, when "negate" was used.
665008TCP connection was not established for MSRCP traffic in certain conditions,
due to an endian issue.
666370—Incorrect destination port was displayed 20480(0x5000) in the event log
for the web management connection when the system configuration is saved through
web-UI.
668859—In SNMPv3 configuration, there was no option to specify the source interface.
673295The command "set chassis audible-alarm all" was modified on the SSG
platform to remove the "battery" option as the SSG platform does not support this
option.
47Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
674245—"Packet Too Big" message from ICMPv6 was dropped due to no session.
674736—GTP IDreq packets are incorrectly dropped by sanity check due to unknown
IE.
675296—In L2 mode, the vsdless session must have time sync mechanism.
676289The device crashes while running certain commands through SSH or telnet.
676354—SSG140 dlog queue fullness causes session leak and results in traffic drop
with message "packet dropped, the dlog queue is full".
676984Authentication in NSRP from an Infranet Controller can sometimes lead to
duplicate authentication entry and might cause crash dump and reboot unexpectedly.
677467—Open SSH 5.8 client with pty-req greater than 256 bytes fails with "PTY
allocation request failed" error.
680365—Firewall crashes and reboots when AV was enabled.
681955—Syn-cookie might not get triggered sometimes for the traffic that traverses
custom L2 zones.
683501The MSS option and length are incorrectly built when using SYN proxy.
685029—For IPv4 traffic with IP Protocol 58, traffic log displayed ICMPv6 in the service
field.
687205—"Config datafile" for NSM might not include routes from shared DMZ VR (for
vsys) to other vrouters.
687653—Sometimes tftp fails due to save config (from device).
688938—In a multiple VSYS environment, event Log messages on the Syslog server
was showing a wrong VSYS as the origin of the message, as the message belongs to
a different VSYS.
Performance
607132Traffic might be affected by flow control mechanism on the interface.
Routing
683325—OSPF neighbor ship gets affected in loading while the OSPF messages
fragment size was bigger than 1668 bytes.
Security
677385Transparent or L2 mode firewalls sends a SYN+ACK response packet to
client with an all-zero MAC address.
VOIP
662790—SIP registration packet was larger than the allowed registration packet size
for Avaya 9600 series phone.
Copyright © 2015, Juniper Networks, Inc.48
ScreenOS 6.3.0 Release Notes
664502—H323 messages are still flooding in ISG2000 even after disabling h323
app-screen message-flood.
VPN
591501After reboot, the configuration pertaining to IKEv2 for EAP authentication
was not preserved if the definition of the IKEv2 gateway name contained spaces.
604229—IPv6 with IKEv2 VPN tunnel might not sometimes come up between the
Motorola router and Juniper SSG device because of certain implementations.
673075—IKE DPD messages are generated from the NSRP backup device even after
the NSRP failover occurs.
WebUI
610921WebUI has limitations on ipv6 client-duid length.
671222The WebUI login might not accept a username of 31 or greater characters
even though the username was valid through CLI.
678280—Unable to modify WEB filter custom message on ScreenOS firewall through
NSM GUI for integrated SurfControl CPA.
685269The "activate" command fails while saving the BGP neighbor through WebUI.
Addressed Issues from ScreenOS 6.3.0r9
Administration
580929—Unable to add zone to proxy-id when zone name has a space.
604785While creating VSYS with VR in the same line an incorrect and mandatory
VR id number syntax is required as an optional field.
ALG
539589—Return NIS packets might be dropped on the firewall due to non-existence
of ALG pinhole. This is specifically with design where NIS server resorts to DNS lookup
when host is not found in NIS database.
HA & NSRP
609184—HA LED status was incorrect when unset VSD-group id was configured as
0.
IDP
662378After restarting the security module the policies are not compiled and loaded
in to the IDP module.
670888—IDP module core dumps when the security module is restarted.
49Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
Management
556535—PBR configuration was lost after the firewall was rebooted.
575680SNMP walk on 10-gig interfaces shows incorrect interface speed.
607350—Unable to retrieve the chassis slot information with SNMP walk.
Other
544795—"Unset http skipmime mime-list" command appears during config.
558343—Memory utilization of "sys pool" increases as some of the memory allocated
in SMTP parser are not freed when the SMTP sessions are released.
561641—Packet loss under heavy traffic with NS5400 and 2XGE cards.
574264—Sometimes legitimate source IP address might be detected as an antispam
blacklist IP address during high number of SMTP traffic.
578457—SCP was not working on Ubuntu 10.10.
581190The device failed when memory was allocated.
584827The backup firewall might not get all IPSec SA synchronized from system
restart due to large number of VPN connections on NSRP setup.
585139—Sometimes device might reboot unexpectedly when certain TCP-based SIP
traffic passed through the firewall.
585768—SSH connections drop after 45 seconds of inactivity.
587433—Sometimes after OS upgrade, the firewall might not start up because of
certain condition in flash writing mechanism.
587809—Negotiation event log was not generated when IKE phase one was initiated.
593583The device failed while processing SMTP traffic for Antispam.
595094—In IPv6 environment, device might encounter HIGH flow CPU as IPv6 policy
search algorithm might consume most of the FLOW CPU time.
596169—SSG device running PPPoe core dumps when there was no DNS option
defined in PPP control packet.
596585—If IPv6 was not enabled on incoming interface, the multicast link local packet
such as NA was not considered as a to-self packet, and the device forwarded these
packets.
598630—Event log displays "route is invalid" even though there are no route changes.
598836ASIC resets when FTP service is configured with a never timeout.
599609The "in packet" and "in ucast" counter increased, though the physical
interface was down.
601092—Device name is missing in the syslog message forwarded from the firewall.
601173—Shared memory corruption caused by CPU enqueuing caused incorrect packets
to free buffer queue.
Copyright © 2015, Juniper Networks, Inc.50
ScreenOS 6.3.0 Release Notes
602147—"set arp" command was not supported in Transparent mode.
604069When Antispam or Antivirus was enabled, under certain conditions during
TCP establishment, the TCP traffic did not flow properly.
606118—Internal duplicate policy log entries caused the send mail task on the firewall
to loop that subsequently caused high CPU usage.
610023—[SSG300/500]Byte count for log-self shows wrong value.
610123ASIC stopped forwarding traffic due to shared memory corruption problem.
610271While logging multicast traffic, the policy based traffic log was incorrect.
612248—During high traffic, frequently pressing Crtl+C on console caused wrong output
in the event log and subsequently the device failed.
613108After deleting a policy, the "traffic logs" for that policy was not removed and
are not cleared manually.
614521—Policy scheduler cannot cover one minute between 23:59 and 00:00.
660958—[SSG550/SSG320] IPv6 log self shows wrong source and destination port
numbers.
661003—[SSG500/SSG300] destination ports are shown different in the self log
saved from WEBUI.
Performance
598073—FPGA performance limitation dropped HTTP packets and caused latency
during performance testing.
Routing
577347—After double NSRP failover, the routes redistributed into OSPF failed.
588275—Unable to clean up the RIP routes learnt from demand circuit in a VR.
VOIP
537064—Corrected the tunnel policy search logic, after opening a pinhole in the firewall
because sometimes the tunnel policy search failed.
VPN
590496—Firewall does not respond to notification message when phase 2 proposals
mismatch in IkeV2.
WebUI
562438—In WebUI, the "dialup user group" for IKEv2 was disabled and cannot be
configured.
596093Java Script WebUI display error was corrected in Internet Explorer 9.
51Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
614616The 6 to 4 tunnel end point IP address from WebUI will be rolled out by clicking
Ok button.
Addressed Issues from ScreenOS 6.3.0r8
Administration
580933— High task CPU triggered flow CPU utilization alarm.
ALG
586961— Application with large MSRPC payload did not work with ALG enabled.
Antivirus
529357— Management traffic was dropped by the firewall when the antivirus database
was getting updated.
Authentication
587578— 802.1x authentication is not supported on a bgroup interface.
CLI
574045— A command was introduced to permit IGMP packets with TTL greater than
one and to provide compatibility with other interoperability devices.
DNS
580838— Fragmented DNS packets failed to pass through device if Jumbo frame
support was enabled.
IDP
546621— IDP AVT timeout parameters caused high task CPU. This problem was seen
more in NSRP cluster.
560339— ISG IDP signature did not detect the Telnet attack pattern when configured
in the policy.
530282— sme_image caused high task CPU and NSM failed to update ISG-IDP.
Copyright © 2015, Juniper Networks, Inc.52
ScreenOS 6.3.0 Release Notes
Management
428710— Deleting the source interface bound to NSM module resulted in trace errors
or crash dump causing the device to reboot unexpectedly.
Other
487640— Hardware counters did not work on NS-5000-2XGE-G4 [2 x 10GigE Secure
Port Module (SPM)].
539351— MS-RPC sessions failed because of a cold start sync failure caused by RPC
process.
554007— The device sometimes failed because of a particular type of packet.
554716— Memory leak was triggered in system memory pool upon SSH login to SSG.
555070— SCTP traffic failed when it was moved to ASIC using the command set envar
x-in-ip=yes.
561219— Firewall experienced high CPU while receiving ICMP ECHO request with fixed
sequential ID.
563425— Firewall failed sometimes when there was a communication error, such as
duplex mismatch with the Infranet Controller.
563494— Syslog messages contained the character 'T' between date and time that
caused parsing errors.
568377— ASIC goes into non-responsive state with IPSEC-DSCP marking enabled.
570868— The firewall rebooted unexpectedly because of an unexceptional read error
in an incorrect packet buffer.
572707— Firewall failed because of a malfunction while running SPF in the OSPF task.
576128— The security module information with error "sm_get_cmd transmit timeout"
could not be obtained because of memory leak on SM.
580534— Auth table entries for the Infranet-auth policies was not maintained correctly
for the VPN tunnel sessions.
585314— SCP to the firewall failed from an UNIX machine and displayed the error
"unknown file '--ns_sys_config."
590147— Members of aggregate interface set as down were up after reboot.
53Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
Routing
554973— PBR was unable to route traffic using tunnel interface when it was in the up
state.
VPN
550440— With IKEv2, firewall had responded to the create_child_sa message from
peer successfully but showed VPN status as inactive.
573906— Firewall uses old xauth-ip for p2sa rekey though the xauth-ip has changed.
This resulted in repeatedly requesting the user for Xauth authentication.
579094— IKEv2 with AES encryption in proposal failed because of incorrect attributes.
579899— In transparent mode, the traffic destined to vlan1 through policy based VPN
could not reply back to the same tunnel. Eventually management traffic such as ping
did not work.
581469— When IKEv2 was executed, clients located behind some NAT devices were
disconnected.
WebUI
578196— Hardware version displayed 0(0) on the WebUI.
582678— Creating admin user with special characters resulted in creating an invalid
user.
585834— While domain name had resolved many different IP addresses, Policy
Elements Addresses character were sometimes shown as garbled.
Addressed Issues from ScreenOS 6.3.0r7
ALG
524042—SIP ALG was unable to handle the RTP data session properly in a DIP/VIP
environment.
Antivirus
503330—Firewall was unable to process packets with the error, "Cannot allocate
memory logged with AV dropped due to scan-engine error code 10".
514358—High memory utilization in the AV engine resulted in error, "Cannot allocate
36880 bytes of memory".
519926—Firewall rebooted unexpectedly because of an error when processing packet
in the AV engine.
548601When ASP received out-of-seq TCP packets, it did not send back ACK until
all packets were received in sequence.
559335—File download stopped intermittently when AV was enabled because of an
error in the TCP proxy connection.
Copyright © 2015, Juniper Networks, Inc.54
ScreenOS 6.3.0 Release Notes
Authentication
448478—RSA SecureID authentication stopped working after few hours of operation.
557646WebAuth failed to provide the correct login page to the client for connecting
through a VPN tunnel.
CLI
559694When concurrent session was large, there was intermittent high task CPU
for a second, when an interface was added or removed.
568937The tunnel interface description command was not displayed in the "get
configuration" output, and the configuration was lost after the firewall was rebooted.
Management
548025—NHRP configuration was not supported in the config data file when managing
through NSM.
552547When there were primary and secondary NSM servers configured with source
interface, the device did not try to connect to the primary, and tried connecting only to
the secondary NSM server.
569631The admin name and password could not be changed or edited using NSM.
NAT
533403While translating from IPv6 to IPv4, NAT-PT process on the firewall was
adding additional fragment header without doing fragmentation, which caused the
packets to drop.
Other
522601—Firewall failed while processing the packet for Ichat ALG.
524318The null zone was renamed to an unknown name in the VSYS environment
when renaming the VSYS.
547040—ASIC dropped multicast packet when the last hop PIM router with SPT
disabled packet was received.
548257Traffic stopped passing due to session allocation failure in certain condition.
548464—Sometimes the tcp traffic was delayed by 1ms, when the tcp traffic passed
through the 10G IO card.
552417—Incorrect calculation of string length caused the device to reboot unexpectedly.
552804—Firewall failed during SPF calculation in OSPF V3.
555254—Implemented the support for UDP based fragment on data session when
the session was part of the ALG like SIP protocol.
558859—Firewall experienced a high memory usage and memory leak in the SSL and
certificate modules.
55Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
558980—Firewall failed when executing get route ip command in a multicast
environment.
562919—Firewall failed when the command was executed and redirected to tftp get
igmp group > tftp x.x.x.x get_igmp.log from ethernet2/1.1:1.
564557—Firewall incorrectly handled the POP3 RSET command.
567152—Firewall stopped passing traffic on the bgroup interface with two interfaces
in the bgroup which were connected to the same switch and when one of the members
interface state changed to down.
567976—Firewall failed when collecting the debug data for a split-brain condition due
to an ASIC problem.
568304—Firewall failed when the DNS refresh occurred and the policies were updated,
which also updates the proxy ID for the policy-based VPN.
569540—Incorrect time stamp was displayed in the event log message during the last
month of DST, when the DST was enabled.
569979—Firewall failed to download a file from Adobe website when the
reassembly-for-alg was enabled in the zone with DI.
570432—Incorrect log with IPv4 address was generated while editing an IPv6 address
book entry.
570628—Debug messages were displayed in the buffer even when no debugs were
running on the firewall.
570710—Firewall did not allow MIP IPs of the same range to be configured in different
VSYS.
570948—Firewall failed when it received a last fragment packet size of 64 bytes.
582278—Firewall dropped the pass through PIM multicast traffic due to an error in a
policy lookup process.
584381—Firewall failed due to an unexceptional error while processing the traffic.
Routing
564997—Firewall sent invalid triggered RIP updates on the interface which was not
configured to send the update.
VoIP
539819An H.323 IP phone registration failed because a packet that matched a session
on the ASIC was forwarded to an incorrect session queue.
VPN
548117—In IKEv2, firewall did not send the IDi and IDr messages with payload
information to the peer when the Phase 2 VPN failed with a proposal mismatch.
572352VPN tunnels failed with proxy-id mismatch error after upgrading from
ScreenOS release 6.0r4 to ScreenOS release 6.3r5.
Copyright © 2015, Juniper Networks, Inc.56
ScreenOS 6.3.0 Release Notes
WebUI
519824A device failed when a reject message was configured for integrated surf
control using WebUI containing more than 500 double byte characters.
538758—During deletion of VPN modecfg profile, "Unknown keyword" error was
displayed due to the missing quotes when the profile was created in WebUI.
552566With HTTP redirect enabled, the device failed to redirect to HTTPs while
accessing IPv6 address using WebUI.
567094—Sometimes the firewall policy with multiple address/service objects change
to a single object, if the "too many counting policies" error was encountered when the
policy was configured using WebUI.
573637WebUI did not display all the list of interfaces when there was a long list of
interfaces with sub interfaces.
57Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
Addressed Issues from ScreenOS 6.3.0r6
Administration
536897—Under certain circumstances, the message command rejected due to writing
config conflict was printed on the telnet, ssh or console of the device.
Antivirus
535728While scanning the FTP session, the APP session was aborted because the
device ran out of packets with code 0 resulting in low memory. Delete unused license
to free memory space.
Authentication
536931—Cross-vsys authentication did not bind to the correct session in both vsys
which resulted in a session that was created in the ingress vsys but not in the egress
vsys. This resulted in denial of traffic.
CLI
541186The set log exclude-id command did not work for some of the event-types.
DI
538459—Memory leak in sys memory pool occurred when generating an alarm for
some signatures.
DNS
531507The status of Domain Name Server (DNS) entry in the address book was
incorrect.
GPRS
544157—GTP events produced multiple log entries.
HA & NSRP
524021—NSRP backup session installation error occurred because of route look up
failure that caused packet drop after failover.
529696—Under certain circumstances, with the HA link probe configured, the device
sometimes rebooted unexpectedly when the status of the HA link changed.
538250—Communication through the master node sometimes failed when exchanging
the backup device through NSM doing the RMA procedure.
Copyright © 2015, Juniper Networks, Inc.58
ScreenOS 6.3.0 Release Notes
IDP
536048—Repeated pushing of AppSig Db to security modules from NSM in the absence
of IDP policy caused memory leak on the security modules leading to update failures
on NSM.
Management
544149—[SSG350]Status of I/O fan 2 was reported incorrect through SNMP on
SSG350.
551538—Sometimes, the set envar config=flash command did not load the existing
configuration file upon reboot.
Other
453396—Under certain conditions the L2TP packets timed out, and the tunnel was
not deactivated and removed properly, which caused new packets to use an existing
tunnel and was black holed.
499157—High-end platforms reported high task CPU utilization if there were huge
number of phase 2 SAs configured.
504136The firewall sometimes resets when SIP packets with invalid header were
received.
504566The device sometimes rebooted unexpectedly if a tunnel session was treated
as a normal session.
524232—RTSP ALG erroneously treated two different packets as a pair of translated
packet and then dropped the packet.
526243The device rebooted unexpectedly due to CPU deadlock.
527319—[SSG20]No link was present for Copper SFP running JXM-1SFP-S module.
530924—PPP negotiations sometimes failed because of failure in adding a host route.
535171—Firewall failed when it received an IPv6 packet for an IPv4 session cache entry
during the sanity check process.
535584—Firewall was not able to learn the new MAC address in the IPV6 environment
when the upstream device NIC card or MAC address was changed.
537316The device rebooted unexpectedly during DNS refresh.
538370—External authentication server support was added for FIPS mode.
538766The device rebooted unexpectedly due to IPv6 address double free issue.
539010—Firewall failed when the policy pointer was NULL because of wrong packet
tag between ASIC and CPU.
540038—Sometimes, in NSRP Active/Active mode, asymmetric traffic was dropped.
541647The error message "FTP, FTP-Get and FTP-Put should not be put in the same
group" was displayed when adding FTP service to a multi-cell policy.
59Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
547117—Packets were dropped by anti-spoofing screening option on the backup NSRP
firewall.
547750—[IPv6] UDP checksum was zero.
547943—[NS5000] The increasing CPU4 drop counters affected the MGT3 platform
only.
548054—ISG and NS5000 platforms dropped pass-through ESP fragmented packets
with total size around 1700 bytes.
548294When the set flow reverse-route clear always command was configured, the
packet did not get arp resolved and was queued twice.
548449—Firewall displayed a Trace dump when get config command was run with
OSPFv3 and IPv6 enabled.
549614—Firewall failed when details for a peer gateway in a manual VPN configuration
were accessed.
549816—Under certain circumstances, the firewall core dumped and rebooted
unexpectedly.
558643With FIPS enabled, device failed to boot after upgrading to 6.3r5.
Routing
441711—RIPv2 failed to advertise routes to the neighbors after few hours of operation
in a hub-and-spoke VPN setup.
533910—RIP updates with more than 825 routes were dropped.
535615—OSPF neighbor on the VPN tunnel went down when the OSPF neighbor
session was incorrectly formed on the loopback interface rather than the tunnel
interface.
543671—BGP peering failed when force-reconnect option was enabled under certain
configuration conditions.
544754—Inter-area route was not removed from routing table even though an intra-area
route was learnt and existed in the OSPF database.
Security
540983—SYN packet sent to the server by the firewall after triggering the SYN-proxy
had an incorrect checksum.
VoIP
530047—SIP ALG was unable to handle the SIP calls that needed cross vsys policy
search.
VPN
508798—Firewall utilized very high memory when VPN was configured.
Copyright © 2015, Juniper Networks, Inc.60
ScreenOS 6.3.0 Release Notes
533635—Route-based VPN failover did not work because of an error in the route look
up process.
WebUI
534271—Predefined service timeout could not be edited using the WebUI.
535613—In the WebUI, adding a VIP using a service name with an ampersand (&)
resulted in "400 Bad Request" error.
535995—Unable to add profile name or user-group name with a blank space in WebUI
when configuring URL filtering.
536474—Replacing the NSRP configuration using the WebUI including certain specific
CLI sometimes caused unexpected behavior after reset.
546601Adding track IP in a vsys using WebUI resulted in error.
Addressed Issues from ScreenOS 6.3.0r5
The following operational issues were resolved in this release:
Administration
509654—[SSG 140] TX/RX LED remained ON even after the set interface ethernet0/X
phy link-down command was executed.
511835The configuration sometimes got deleted while configuring the administration
setting for custom L2-zone.
Antivirus
523759The firewall rebooted with "Exception Dump" when AV was enabled on the
policy.
Authentication
511019—802.1X authentication failed after PC hibernation.
528252The firewall sent multiple WebAuth requests to the user when a single HTTP
request was split into multiple packets.
61Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
DHCP
510653—Unable to configure DHCP option string with a length greater than 128 bytes.
DI
528641—Under certain conditions, after DI attack signature update, the configured
"action" in attack policies became incorrect.
HA & NSRP
509803—Software sessions on backup firewall did not ageout properly because of
its inability to synchronize time with its master unit.
519838—Both firewalls in NSRP cluster sometimes became master.
IDP
522728—Under certain conditions, the traffic dropped because the inline-tap mode
was changed to inline mode.
Management
505106—Under certain conditions, the policies were marked as "invalid" because of
NSM policy push operation.
520991After reboot, the unset http skipmime mime-list command was added to the
configuration.
522075TCP sweep and UDP sweep screen options could not be configured using
NSM because these options were missing in the ScreenOS config datafile.
522349Signatures with 30 or more characters were truncated when passed through
the syslog output.
524380The ifOperStatus reports wrong value in the NSRP passive cluster member.
526797When DNS response was fragmented, the reason for session close in the
traffic log became ageout.
529788—NSM view statistics sometimes caused the device to reboot unexpectedly
with dump.
NAT
512224—MIP translation between IPv6 addresses failed to translate.
Other
478573—[SSG300] The device sent corrupted IP packets on reboot.
483101The Elliptical Curve Diffie-Hellman (ECDH) IKE implementation populated
both group type and description in the Payload, and caused interoperability issue with
third party VPN devices.
Copyright © 2015, Juniper Networks, Inc.62
ScreenOS 6.3.0 Release Notes
503307Application-Specific Integrated Circuit (ASIC) hung and stopped passing
traffic due to incorrect session pointer.
513394A problem with the generation of counter statistics caused the firewall to
reboot unexpectedly.
519557—Firewall sometimes dropped packets in transparent mode if syn-flood was
enabled.
526215—"Policy:Not Found" error was displayed when the user tried to add a new
policy with "before id" and "DSCP enable value" keywords together.
529690—ESP pass-through traffic did not consider custom service timeout when the
custom ESP service was part of a service group.
529736The policy scheduling options "Recurring" and "Once" did not work together.
532937The firewall incorrectly allowed the user to configure an IPv6 MIP and then
DIP with the same address.
500993—Issue with RSH when the application reused source port while closing control
connection. The data traffic still existed.
533822When using SQL redirect, the ALG did not open the pinhole correctly.
Routing
528011—In specific circumstances, BGP did not send updates on routes that were
unreachable.
528417—Redistributed default IPv6 route in OSPFv3 was not advertised after an hour
of redistribution.
VoIP
529845With SIP ALG enabled, the firewall sometimes experienced high CPU.
VPN
469089The VPN monitor did not function for a manual key VPN because a proxy id
check was added on the packet sanity check, which was not required for a manual key
VPN.
506464—Under certain conditions, the device sometimes rebooted unexpectedly
because of RSA authentication.
Addressed Issues from ScreenOS 6.3.0r4
The following operational issues were resolved in this release:
63Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
Administration
467398—Local root user sometimes lost root privilege when the remote admin used
the same user name.
496029While managing the firewall using SSH Secure Shell v.3.2.9, firewall reported
"Potential replay attack detected on SSH connection initiated from x.x.x.x."
501075The VeriSign CA certificate had expired and was invalid. It could be removed
from the system as the system already contained a valid VeriSign CA certificate. The
valid certificate could be seen with get pki x list cert command.
504196—SSH management sometimes disconnected abruptly when large output
commands were executed.
508319The device sometimes rebooted unexpectedly when the memory got
overwritten by the EAP task.
ALG
498113—In certain conditions, with RTSP ALG enabled, the RTSP traffic failed through
the firewall.
498869—Fragmented MSRPC packets were supported in the ALG.
Antivirus
498121—In certain scenarios, with AV enabled, the HTTP slows down due to TCP
retransmission.
Authentication
503196The source interface option for authentication (auth) did not work when
LDAP was configured as the AUTH server.
CLI
484141—System rebooted unexpectedly when get sip transactions command was
executed.
DHCP
495244—DHCP custom option 43 was sent with an invalid length.
HA & NSRP
515159The backup device used virtual MAC for ip tracking in a PPPoE environment
using interface redundancy.
IDP
507318—IDP Engine failed on security module and created core file.
Copyright © 2015, Juniper Networks, Inc.64
ScreenOS 6.3.0 Release Notes
513071With application identification enabled, invalid pointers had created an issue.
Management
491132—ICMP packets to the management interface experienced delay at regular
intervals.
494629—SNMP trap was not sent to indicate that the CPU utilization had returned to
normal level.
501026The exec policy verify command did not work for the group service.
502845The firewall rebooted unexpectedly when the L2TP policy was removed
through NSM.
503139—Under certain conditions, during an SNMP walk, the firewall sometimes
rebooted unexpectedly.
Other
419637—Many drop notification messages between IC and IE caused instability in the
SSH connection between them.
471425The event log displayed interface flapping messages within the same second
on the firewall, but the other end of the connection did not record interface flapping
messages within the same second on the firewall.
485192The GRE packets of PPTP session were dropped sometimes if PPTP server
CALLID was set to 0.
488614The set zone <zone name> tcp-rst command did not work for SSH on high-end
platforms.
491466—SQL connections failed sometimes when the SQL ALG was enabled.
492796—[NS5000] Under certain conditions, only software sessions were created
when there was no destination MAC address entry of the packet in the MAC learning
table. As a result, subsequent packets were flooded and the CPU utilization was high.
494276—A URL blocked by Websense sometimes did not display the corresponding
blocked message in the browser in an asymmetric routing environment.
494617—ScreenOS devices managed by NSM version 2009 or above sometimes
encountered memory leak issue.
494946—[SSG 300] The alarm LED did not turn red when large ICMP packets were
detected.
495554—Firewall rebooted unexpectedly when the policies changed and read at the
same time.
498529The SNMP get query for BGP related OID sometimes provided an incorrect
output.
498562—IPv6 did not work on PPPoE ADSL interface.
499421With edipi enabled, XAUTH user cannot inherit the IP information from old
XAUTH session when rekeying new SA leading to memory leak.
65Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
500495With antispam enabled, e-mail with attachments greater than 3 to 4 MB
sometimes dropped due to out of memory error.
500843—Output of SNMP walk sometimes displayed incorrect interface for ARP table
entries.
501256The Translated Dest column was empty when the traffic logs were saved
using WebUI.
501343—Even though there was no incoming traffic, alarm traffic for policy increased,
because the self traffic was denied by the deny policy.
502419Traffic shaping statistics were not displayed on the NSRP VSI interfaces on
the firewall.
504084The track IP failed sometimes when the interface was inactive.
505456—Event log displayed "system temperature severely high" message even when
the temperature of the device was appropriate and the hardware was in good condition.
505554Traffic log for large PING over MTU size was displayed as close-ageout
instead of close-resp.
506473—Radius server was not reachable when the source interface was not the
Virtual Security Interface (VSI).
506543—Parsing a folder with the name "quit" abruptly closed the FTP session.
509166—SSG5 wireless device was not able to locate the best channel under certain
conditions.
510473Typo in infranet enforcer mode test command resulted in syntax error after
reboot.
511026The implementation of IKEv2 DoS attack prevention was incorrect.
511812When a BGP neighbor was configured and an outgoing route map was applied,
the firewall did not apply the local preference correctly as specified in the policy terms.
512752—In certain conditions, failure of the infranet controller connection caused high
CPU condition on the device.
515064—In certain conditions, it was possible to define a custom service object for
protocol 0.
520662—Under certain conditions, the get alg pptp xlat command sometimes caused
the device to reboot unexpectedly.
Copyright © 2015, Juniper Networks, Inc.66
ScreenOS 6.3.0 Release Notes
Performance
494910—[SSG 140] In certain circumstances, when there was heavy traffic through
the interface, all the traffic passing through the interface e0/9 was blocked.
Routing
501996—In case of multiple virtual routers (VRs), sometimes, deleting a multicast
route from one VR might not update information in the other VR causing the device to
reboot unexpectedly.
504708With NSRP sync route enabled, the redistribution of routes from BGP to
OSPF was delayed.
505962The RIP packets were constructed twice with the same RTE, but with different
metrics.
501953The redistributed default route did not get advertised in the OSPFv3.
VoIP
511469—Limitation on the maximum h245 channel number was 10. This limitation
caused problem with certain VoIP applications.
517439—URI of SIP message was modified incorrectly when NAT with SIP ALG was
used.
VPN
441805The ikmpd task caused periodic high task CPU peaks.
500203ASIC based firewall sometimes stopped passing traffic when ESP packets
with invalid SA value were received.
502729VPN failed to come up when the outgoing interface was a loopback interface.
503323After deleting a VSYS, the system log erroneously displayed error messages
related to deleting a tunnel zone, and SSH PKI key associated with that VSYS.
504014—In some scenarios, VPN policy with MIP failed to translate Proxy ID.
505065VPN policy with domain name was not updating the right proxy-id after
reboot.
508886—NetScreen Remote Client for dial up VPN did not failover to redundant
gateway when track-ip failed.
WebUI
496267The tunnel interface erroneously appeared inactive in the WebUI and ready
in the CLI when the VPN monitor was disabled.
496418WebUI configured as a web bookmark did not open in a new window on an
SA Series page.
67Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
502098—Sometimes, the device rebooted unexpectedly when the VPN name was
changed.
504696—Potential unauthorized disclosure vulnerability was found, when the private
address of the firewall was sometimes disclosed.
506282Whitelist URL was blocked by URL filtering because the code did not identify
the port number (non 80) in the hostname header.
507172Sometimes, the firewall rebooted unexpectedly when WebUI was accessed.
513085—In the WebUI, under certain conditions, MIP configuration for IPv6 address
was not available.
515172Alarm events for DI detection were missing in an exported report from the
WebUI.
Addressed Issues from ScreenOS 6.3.0r3
The following operational issues were resolved in this release:
Administration
417686—Socket leak might occur when Internet Explorer (IE) with HTTPS was used
for WebAuth management.
472816—Sometimes the clear socket <socket id> command could not clear the tcp
socket when it was in a certain state.
480480—Under certain conditions, memory leak in the event log module caused high
memory utilization.
481730The get system command displayed the hardware version as 0000(0)-(00)
on SSG300 and SSG500 devices.
493627—Under certain conditions, device might reboot unexpectedly when RPC
(MS-RPC or SUN-RPC) traffic passes through the device and show rpc map command
was executed.
Antivirus
478469—In transparent mode, VLAN tag was removed from the HTTP traffic after AV
scanning.
DHCP
484087The destination IP was incorrectly set to 0.0.0.0 when DHCP relay agent
received a DHCP ACK in response to a DHCP INFORM.
GPRS
448582—GTP inspection dropped the SGSN Context Response message if the Next
Extension Header type was 0xC2 (Suspend Response).
449284—In certain conditions, the firewall failed to allocate GSN, and hence caused
the GTP traffic to drop.
Copyright © 2015, Juniper Networks, Inc.68
ScreenOS 6.3.0 Release Notes
456358The common flags GTP Information Element was not removed when set
remove-r6 command was configured.
457093—For a new GTP tunnel, CreatePdpRequests from an SGSN were dropped if
the response was not received before a certain time period.
472199When R6 IE removal was enabled, GTP CreatePdpRequest packets got
corrupted when both the MS-Time zone information element and a private extension
were present.
485578The GTP remove-r6 feature removed the mandatory RAI IE from SGSN
Context Request and Identification Request messages.
485911—Support had been added for removing Information Element '184 - Bearer
Control Mode' using the GTP remove-R6 feature.
486613When GTP traffic dropped, the bad system status message appeared in the
log.
HA and NSRP
472083When NSRP track-ip monitoring was configured within vsys, configdata file
had incorrect track-ip information.
IDP
467521—[ISG-IDP] In certain conditions, processing of RPC packets caused memory
allocation problem which eventually caused the security module to hang.
485928—[ISG-IDP] The IDP engine resets due to application identification.
493618—[ISG-IDP] IDP engine core dumps frequently due to DFA cache memory
corruption.
Management
455186—Firewall running OSPF rebooted unexpectedly after a delta configuration
through NSM was performed.
456690The traffic log did not display IPv6 addresses correctly.
459999The set flow vpn-tcp-mss command was not available for configuring in
NSM.
466692The SNMP IPv6 IfIndex value was reported as incorrect from the firewall.
468514Traffic log was not generated for a source or destination port equal to 1503.
468659—E-mail notifications for logs from the firewall were not formatted correctly.
470754—[NetScreen-5000] The redundant interface reported overflow errors when
it was not initialized correctly after a system restart.
471298—UDP MSRPC EnDPort mapper (MS-RPC-EPM) traffic incorrectly displayed
the traffic log as MSRPC ENDPOINT MAPPER (TCP).
69Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
485725—Firewall socket issue caused higher task CPU than expected which caused
the management through web and SSL to fail.
485946, 470729—Event log message displayed <username> turn off debug switch
for all when admin exited the CLI.
485958—Source interface of secondary NSM server was incorrectly removed from
the configuration.
491026SNMP walk for certain MIBs did not return any value.
NAT
450989—Unable to access MIP configured on loopback group from different zones
on the firewall.
480667The firewall allocated vsys limit for configuring MIPs to a shared interface
in root-vsys instead of global limit.
Other
463515—MAC entries in the bgroup mac-table were not cleared after an interface went
down.
465718—Under certain conditions, the device might reboot unexpectedly when a
Dial-Up user tried to connect.
466619The set license-key auto-update command rolled back to unset after a device
reboot.
472178The set zone trust screen udp-sweep threshold command enabled the
tcp-sweep option.
472433—Packet might be corrupted due to ASIC buffer problem.
472690, 264366—ICMP flood screening option incorrectly dropped packet and
generated alarm even when the packet rate was lower than the configured threshold.
477561The guaranteed bandwidth parameter was incorrectly allocated in traffic
shaping.
479300—In some scenarios, non-impacting messages such as “TR installing ready
reverse wing” were logged to the debug buffer.
479752—Under certain conditions, the device might reboot unexpectedly when running
get config datafile command.
480179When the SC-CPA server was inaccessible, the device displayed UF-MGR:
Internal error: Failed to allocate uf_record event.
481096—Enabling the set log audit-loss-mitigation feature caused the device to halt
traffic after the log buffer was filled.
481805The bandwidth settings configured on the gigabit subinterfaces were not
loaded after reboot.
484133With unknown protocol protection disabled, traffic with protocol number
greater than 137 was dropped erroneously.
Copyright © 2015, Juniper Networks, Inc.70
ScreenOS 6.3.0 Release Notes
484169—Firewall might reboot unexpectedly if GBIC card was not properly initialized
during boot up.
484839—In some scenarios, firewall might restart unexpectedly if get alg pptp xlate
command was executed.
485332—PIM register message was dropped when the inner packets were fragments.
486445The device might reboot unexpectedly due to its access to a NULL pointer.
486896—Event log timestamp was changed because of NTP update.
489167The session was torn down while changing multi-cell policy if RPC was one
of the service cell.
489205—In IPv6, the MTU was not changed according to an ICMP6 "Packet Too Big"
error message.
490158—[Netscreen-5000] In some scenarios, the firewall stopped forwarding traffic
and was also not accessible through in-band access.
490176—An upgrade for SSG140 running a dual boot image using SCP (secure copy)
required the device to reboot twice.
491531TCP session might be broken when failover occurs from one tunnel to the
other due to wrong TCP Window Scaling Factor in hardware session.
492544, 491555—In certain situations, TCP-based SIP traffic in the environment could
cause the firewall to reboot unexpectedly.
498306—[SSG 300/500] Under certain conditions the firewall would reboot
unexpectedly when UAC was configured.
Performance
413433—[SSG-500] Internal sanity check caused higher CPU than expected resulting
in intermittent packet drops.
478205When large amount of WebAuth transaction takes place at a time, some
HTTP SYN packets might drop during TCP 3-way handshake without returning SYN
and ACK packets.
491967—Policy search was slow with complex and larger number of policy
configurations causing high CPU utilization.
Routing
466158—Capability negotiation error between BGP peers caused BGP to stay in idle
state.
473625—Under certain conditions, multicast traffic did not match the longest matching
multicast group policy.
474158, 446155—Change in RPF source route or change in route towards the RP was
not reflected properly to the multicast routing table.
480470—BGP anti-flap processing was removed from the backup NSRP node.
71Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
482372—In some scenarios, IBGP did not send updates to some of the BGP peers.
483854—OSPF neighbor relationship was lost on active primary connection when the
backup link flapped.
485608—Firewall failure dump was caused by the BGP route updates.
490020—In specific circumstances OSPF converged incorrectly.
VoIP
458341—SIP ALG did not handle the SIP calls that used multi-part message as
expected.
484227—SIP MIME and Multipart messages were modified on the firewall that caused
the SIP packets to drop.
VPN
472618—NS-Remote IPsec phase one negotiation failed when IKE ID was changed.
475831—Quotation marks (" ") were removed from configuration when the set vpn
vpn_name bind zone "zone_name" command was used.
479107The VPN proposals ordered through WebUI of the firewall was ambiguous
and could lead to unintended selection of the proposal between the VPN peers.
480642—User could not pair a VPN policy when multiple MIPs were used as destination.
480691The VPN tunnel down message (for example, VPN <vpn-name> from
<IP-address> is down) was not generated in the event log when the NSRP backup
device became the master.
482399AC-VPN failed to connect from one Spoke to another Spoke VPN site in the
NAT-T scenario.
486043—Firewall might reboot unexpectedly when IKE/CLI and flow module accessed
the NHTB table at the same time.
486608The set vpn <vpn> dscp-mark <dscp> command for manual VPN failed to
set the DSCP marking for outgoing ESP packets.
489859—In some scenarios, when the firewall was reset, the tunnel interface status
remained down even when the security association (SA) was up.
494667—Incorrect proxy-id with VPN Policy having MIP and overlapping source and
destination address.
WebUI
291948When the device had many event log entries, refreshing the main WebUI
page or the report page using Report > System Log > Event action caused high CPU
utilization.
450974—Enabling or disabling the Java or ActiveX component also unsets IP Spoofing.
Copyright © 2015, Juniper Networks, Inc.72
ScreenOS 6.3.0 Release Notes
474665—In vsys, for IKE gateway configuration, option to select shared root interface
was not available in the outgoing interface drop box in the WebUI.
479160—Unable to save AutoIKE configuration for VPN phase 2 in the WebUI when
Proxy ID was enabled and vpn group was selected.
479440—“unknown keyword ipv6” error was displayed when using VPN wizard for
vpn setup with IPv6 disabled on the firewall.
480387—“The value of time-out cannot be greater than interval” was displayed for
certain interval values greater than the threshold values when creating Track IP entry
using the WebUI.
493414—In the WebUI, when the user clicked Go or New button to open a policies
menu, the device rebooted unexpectedly.
495940WebUI incorrectly displayed the tunnel interface status as inactive.
Addressed Issues from ScreenOS 6.3.0r2
The following operational issues were resolved in this release:
Administration
445491When displaying BGP route advertised without specifying a neighbor address,
the error bgp neighbor 0.0.0.0 doesn't exist is displayed.
456101—[ISG, NetScreen 5000] The port mirror command displayed erroneous Failed
command - set mirror port source ethernet4/1 destination ethernet1/1 message on console
bootup, even though the command existed in the configuration file and was working.
Antivirus (AV)
458125—In transparent mode, with the UTM enabled, when preparing a child session
in the ALG traffic, the VLAN tag information was lost.
Authentication
416043The device did not clear the existing System Information Block (SIB) when
the associated radio caused the wireless authentication failure.
471517—Protocol version check caused the RSA SecureID authentication failure.
73Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
Command Line Interface (CLI)
462860—[SSG 140/300/500, ISG 1000/2000, NetScreen 5GT] After a reboot, the
unset admin hw-reset command was not saved.
Deep Inspection (DI)
454303When a DI policy was enabled, and the ip-action was "notify", the packet
that matched the DI group specified in the policy got dropped.
Domain Name System (DNS)
458316A device might reset if a vsys that contains address book objects with DNS
names was deleted.
471892—DNS queries did not work when device was configured to use itself as DNS
server (when DNS proxy is enabled on an interface).
General Packet Radio Service (GPRS)
437975With GTP inspection enabled, at times, the GTP Echo Response might drop
and the log displays the bad state message.
High Availability and NetScreen Redundancy Protocol (HA and NSRP)
448011—Under certain conditions, WSF was not being updated in hardware session.
449011—[SSG 140, SSG 300, SSG 500] When Active/Passive NSRP in L2 mode is
configured, some traffic might stop for a few minutes just after failover under a specific
condition.
449858—Non-VSI PPTP session was not functioning as expected in NSRP
Active/Passive scenario.
454981—[SSG 300M] When NSRP failover occurred, the red LED alarm was triggered.
461079—[NetScreen 5000] The backup firewall would prematurely remove the
sessions on the master in a VSD-less NSRP cluster and cross-ASIC traffics.
463752—In NSRP Active/Active mode, if tcp syn-check was enabled, the user could
not update the session after the three-way TCP handshake was complete.
Intrusion Detection and Prevention (IDP)
431797—Packets were dropped when the TCP Error Reassembler Packet Memory
Exhausted signature was enabled.
Management
455868—[SSG Devices] Number of tasks has been increased on SSG devices to allow
management to the device.
473110—Format of IPv6 addresses were being sent incorrectly to NSM log viewer.
Copyright © 2015, Juniper Networks, Inc.74
ScreenOS 6.3.0 Release Notes
Network Address Translation (NAT)
455943When the PPTP service and GRE service timeout are configured to never,
the PPTP xlate fills up unless the PPTP connection is shutdown.
Other
302382—In certain conditions, the firewall might reset if a session incorrectly references
a MAC address without route information.
387173Traffic was blocked intermittently because of an error in handling non-IDP
traffic as IDP sessions.
432190—[NetScreen 5000 M3] VLAN retag did not work properly with 10 Gig interfaces.
437660—Firewall reboots due to MGCP traffic.
448252—[SSG 300] In transparent mode, the NMAP scan caused packet going across
the firewall to drop.
449239—SQL ALG did not function as expected when client request came into the
SQL server's MIP address.
451051—[ISG] Internal memory corruption caused ISG devices to stop creating new
sessions and hence impacted traffic.
455183—Few packets might be dropped due to ASIC reinit.
455373The device resets when some SQL ALG registers access an odd address.
455405ALG for FTP, RSTP, GTP, SQL, SIP, and RSH was corrupting the control
packet which in turn was causing problems with the data packet.
459357WebAuth redirect from firewall contains a corrupted target URL when a proxy
was used and the HTTP-request was split into two packets. The first packet includes
the GET line and the second packet includes the HOST line.
460233With DST enabled, the e-mail notification time from ScreenOS was an hour
ahead of the actual time.
461492When SQL IPMP failover was performed, subsequent traffic did not pass
through the firewall.
462783—Under certain conditions, sessions with timeout of 0 or 1 were never aged
out of the firewall.
463422—New TCP did not pass through the firewall in Transparent mode if there was
no matching MAC table entry.
465223The get gbe id 1 CLI command causes the device to reset.
468821—Double quotation mark (" ") was not accepted in the middle of a comment
or description for the definition of an address, route or group policy objects.
473279The debug nsm nsp-debug command might result in system reset.
75Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
Performance
455350—MTU was set to 1500 when a tunnel interface causing performance issues
was added to the interface.
Routing
433987—Memory leak because of large OSPF LSA might reset the device.
435956—Firewall removed some RP-set when it received BSR messages with a tag
zero.
436444—Device might reset if IGMP v3 source specific report was sent.
448691—BGP routes can get stuck in route table if two neighbors send the same prefix
route and routes change frequently.
449723—Firewall might reboot because of incorrect scheduling of SPF algorithm for
the OSPF protocol.
459513—Unable to set IPv6 static route to null interface.
Voice-over-Internet Protocol (VoIP)
422611—Power Cycling H.323 IP Phone resulted in NAT pport leak.
442077—H.323 calls failed when it exceeded 10 OLC channels.
442660—Incorrect format of INVITE messages resulted in random failure of VoIP calls
using SIP.
472554—[SSG 140] Maximum number of NAT cookies has been increased to 512.
Virtual Private Network (VPN)
442719—Unable to configure a C Class Broadcast IP address for the IKE Gateway
address.
448720—Unable to remove User Group that was previously bound to a VPN, even
after that VPN has been removed.
452080The TCP 3-way handshake failed because of an error in the setup of IPsec
VPN.
455520Tunnel interface was not created when route based VPN configuration was
pushed from the NSM.
459053A logically down interface might still respond to VPN monitor packets sent
by a VPN peer device, and hence not allowing the VPN state to go down.
459239—Xauth information was erroneously removed when initial-notify was received.
474622—[IKEv2] Tunnel IP address did not get released when Dial-Up IKE v2 SA was
terminated.
474923—[IKEv2] Rekey is unsuccessful when using Dial-Up VPN.
Copyright © 2015, Juniper Networks, Inc.76
ScreenOS 6.3.0 Release Notes
WebUI
455462—Using the WebUI, when an aggregate BGP route was added, a new option
summary-only was added that was not specified in the WebUI.
459894—Unable to remove the address book object "DMZ Any" after it was configured.
463137—IRDP cannot be enabled on interface e0/0 using the WebUI.
465697—In certain conditions, the WebUI management causes the system to reset
because of incorrect parameter value.
468211—In the WebUI, the IPv6 route entry did not accept uppercase characters for
an IPv6 address.
469439VPN monitor configuration might rollback to default after editing vpn entry
from the WebUI.
Addressed Issues from ScreenOS 6.3.0
The following operational issues were resolved in this release:
Administration
309759—Reloading configurations while the device is experiencing heavy traffic might
cause the device to fail.
388700—It is currently possible to configure a VIP from a subnet other than the
unnumbered tunnel interface IP. However, this is not a supported configuration; admins
should not be allowed to configure a VIP from a subnet other than the unnumbered
tunnel interface IP.
414839The policy logs in syslog did not show the correct data sent or received for
FTP.
416873—After a reboot, some event log entries were not recorded in the syslog file,
when the syslog was configured using UDP.
429883The MSS-based sockets were changed on the new accepted socket.
432014The authorized user with read and write privileges is able to issue the set
admin password command because of which some user privileges are lost.
Application Layer Gateway (ALG)
446420The Microsoft windows management interface (WMI) control service fails
in some scenario.
Antivirus (AV)
299960—Using the new Kaspersky Labs antivirus scan engine, the antivirus database
takes a relatively long time (1 to 5 minutes) to load from a flash disk to system memory.
While the database is loading, CPU usage might go extremely high and device
performance might drop.
77Copyright © 2015, Juniper Networks, Inc.
Addressed Issues
388885The extended antivirus (AV) pattern file was too large for the flash memory