Junosv Firefly Feature Support Guide Controlled Release

Junos® OS

Feature Support Reference for JunosV Firefly

Release

12.1X44-D20

Published: 2013-07-02

Copyright © 2013, Juniper Networks, Inc.

Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net

This product includes the Envoy SNMPEngine, developed by Epilogue Technology, an IntegratedSystemsCompany. Copyright© 1986-1997,Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no partof them is in the public domain.

This product includes memory allocation software developed by Mark Moraes, copyright © 1988, 1989, 1993, University of Toronto.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentationand software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright ©1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed throughrelease 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’sHELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateDsoftware copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D.L. S. Associates.

This product includes software developed by Maker Communications, Inc., copyright © 1996, 1997, Maker Communications, Inc.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that areowned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Junos OS Feature Support Reference for JunosV FireflyRelease 12.1X44-D20Copyright © 2013, Juniper Networks, Inc.All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.

ENDUSER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttp://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions ofthat EULA.

Copyright © 2013, Juniper Networks, Inc.ii

http://www.juniper.net/support/eula.html

Table of Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

JunosV Firefly Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . v

Supported Routing Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Part 1 Feature Support for JunosV Firefly

Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Feature Support Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2 Feature Support Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Address Books and Address Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Administrator Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Application Layer Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Attack Detection and Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Autoinstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Diagnostics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

DNS Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Ethernet Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Ethernet Link Fault Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

File Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Firewall Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Flow-Based and Packet-Based Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

IP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

IP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

IPv6 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

IPv6 IP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Log File Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Multicast VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Network Operations and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

iiiCopyright © 2013, Juniper Networks, Inc.

Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Secure Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Security Policy Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Security Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Session Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Stateless Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

System Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Upgrading and Rebooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Chapter 3 Feature Support Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Part 2 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Copyright © 2013, Juniper Networks, Inc.iv

Junos OS Feature Support Reference for JunosV Firefly

About This Guide

This preface provides the following guidelines for using the Junos OS Feature Support

Reference for JunosV Firefly:

• JunosV Firefly Documentation and Release Notes on page v

• Supported Routing Platforms on page v

• Document Conventions on page vi

• Documentation Feedback on page vii

• Requesting Technical Support on page viii

JunosV Firefly Documentation and Release Notes

If the information in the latest release notes differs from the information in the

documentation, follow the JunosV Firefly Release Notes.

To obtain the most current version of all Juniper Networks®technical documentation,

see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/ .

JuniperNetworkssupportsa technicalbookprogramtopublishbooksby JuniperNetworks

engineers and subject matter experts with book publishers around the world. These

books go beyond the technical documentation to explore the nuances of network

architecture, deployment, and administration using the Junos operating system (Junos

OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library,

published in conjunction with O'Reilly Media, explores improving network security,

reliability, and availability using Junos OS configuration techniques. All the books are for

sale at technical bookstores and book outlets around the world. The current list can be

viewed at http://www.juniper.net/books .

Supported Routing Platforms

This manual describes features supported on JunosV Firefly running Junos OS.

vCopyright © 2013, Juniper Networks, Inc.

http://www.juniper.net/techpubs/

http://www.juniper.net/books

Document Conventions

Table 1 on page vi defines the notice icons used in this guide.

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Table 2 on page vi defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, typetheconfigure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarms

No alarms currently active

Represents output that appears on theterminal screen.

Fixed-width text like this

• A policy term is a named structurethat defines match conditions andactions.

• JunosOSSystemBasicsConfigurationGuide

• RFC 1997,BGPCommunities Attribute

• Introduces or emphasizes importantnew terms.

• Identifies book names.

• Identifies RFC and Internet draft titles.

Italic text like this

Configure themachine’s domain name:

[edit]root@# set system domain-namedomain-name

Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.

Italic text like this

Copyright © 2013, Juniper Networks, Inc.vi


Table 2: Text and Syntax Conventions (continued)

ExamplesDescriptionConvention

• To configure a stub area, include thestub statement at the[edit protocolsospf area area-id] hierarchy level.

• Theconsoleport is labeledCONSOLE.

Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.

Text like this

stub <default-metricmetric>;Enclose optional keywords or variables.< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3)

Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.

# (pound sign)

community namemembers [community-ids ]

Enclose a variable for which you cansubstitute one or more values.

[ ] (square brackets)

[edit]routing-options {static {route default {nexthop address;retain;

}}

}

Identify a level in the configurationhierarchy.

Indention and braces ( { } )

Identifies a leaf statement at aconfiguration hierarchy level.

; (semicolon)

GUI Conventions

• In the Logical Interfaces box, selectAll Interfaces.

• To cancel the configuration, clickCancel.

Representsgraphicaluser interface(GUI)items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf.

Separates levels in a hierarchy of menuselections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can send your comments to

[email protected], or fill out the documentation feedback form at

https://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to include

the following information with your comments:

• Document or topic name

• URL or page number

viiCopyright © 2013, Juniper Networks, Inc.

About This Guide

mailto:[email protected]

https://www.juniper.net/cgi-bin/docbugreport/

• Software release version (if applicable)

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistance

Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,

or are covered under warranty, and need postsales technical support, you can access

our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

• JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides youwith the

following features:

• Find CSC offerings: http://www.juniper.net/customers/support/

• Find product documentation: http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement

(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Casewith JTAC

You can open a case with JTAC on theWeb or by telephone.

• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visit us at

http://www.juniper.net/support/requesting-support.html

Copyright © 2013, Juniper Networks, Inc.viii


http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf

http://www.juniper.net/support/warranty/

http://www.juniper.net/customers/support/

http://www.juniper.net/techpubs/

http://kb.juniper.net/

http://www.juniper.net/customers/csc/software/

https://www.juniper.net/alerts/

http://www.juniper.net/company/communities/

http://www.juniper.net/cm/

https://tools.juniper.net/SerialNumberEntitlementSearch/

http://www.juniper.net/cm/

http://www.juniper.net/support/requesting-support.html

PART 1

Feature Support for JunosV Firefly

• Overview on page 3

• Feature Support Tables on page 5

• Feature Support Information on page 41

1Copyright © 2013, Juniper Networks, Inc.

CHAPTER 1

Overview

• Feature Support Overview on page 3

Feature Support Overview

JunosVFirefly is a virtual security appliance thatprovides security andnetworking services

at theperimeter or edge in virtualizedprivateor public cloudenvironments. JunosVFirefly

runs as a virtual machine (VM) on a standard x86 server.

JunosVFirefly enablesadvancedsecurity and routingat thenetworkedge inamultitenant

virtualized environment. JunosV Firefly is built on Junos OS and delivers the similar core

networking and security features available on SRX Series devices for the branch.

Someof the keybenefits of JunosVFirefly in virtualizedprivateor public cloudmultitenant

environments include:

• Stateful firewall protection at the tenant edge

• Faster deployment of virtual firewalls

• Full routing and networking capabilities

• Complementary with the Juniper Networks vGWVirtual Gateway for inter-VM security

• Centralized and local management

JunosV Firefly inherits many features from the SRX Series product line. However, there

are certain features that might not be directly applicable in a virtualized environment,

and such SRX Series features have been excluded from the JunosV Firefly product line.

The following sections describe the available features on JunosV Firefly as of Junos OS

Release 12.1X44-D20. For feature roadmap details, contact your Juniper Networks

representative.


CHAPTER 2

Feature Support Tables

• Address Books and Address Sets on page 7

• Administrator Authentication on page 7

• Alarms on page 8

• Application Layer Gateways on page 8

• Attack Detection and Prevention on page 10

• Autoinstallation on page 11

• Class of Service on page 12

• Diagnostics Tools on page 13

• DNS Proxy on page 13

• Dynamic Host Configuration Protocol on page 14

• Ethernet Link Aggregation on page 14

• Ethernet Link Fault Management on page 15

• File Management on page 17

• Firewall Authentication on page 18

• Flow-Based and Packet-Based Processing on page 18

• Interfaces on page 19

• IP Monitoring on page 21

• IP Security on page 21

• IPv6 Support on page 26

• IPv6 IP Security on page 27

• Log File Formats on page 28

• MPLS on page 28

• Multicast on page 29

• Multicast VPN on page 30

• Network Address Translation on page 31

• Network Operations and Troubleshooting on page 32

• Network Time Protocol on page 32

• Packet Capture on page 33


• Routing on page 33

• SecureWeb Access on page 34

• Security Policy Support on page 34

• Security Zone on page 35

• Session Logging on page 36

• SMTP on page 36

• SNMP on page 36

• Stateless Firewall Filters on page 37

• System Log Files on page 37

• Upgrading and Rebooting on page 38

• User Interfaces on page 39



Address Books and Address Sets

Junos OS supports address books and address sets. An address book is a collection of

addresses and address sets that are available in one security zone.

An address in an address book could be a name for an IP address, a network prefix, a

DNSdomain, or a range of IP addresses. Address sets are collections of addresseswithin

an address book. They allow you to effectivelymanage addresseswhen configuring your

network. Instead ofmanaging large numbers of individual address entries, you canmore

easily manage a smaller number of address sets because any changes made to an

address set automatically applies to all the addresses in the set.

JunosOSalsosupportsaglobal addressbook,which is createdoneachsystembydefault.

It contains predefined addresses and is not attached to any zone.

Table 3 on page 7 lists the address book features supported on JunosV Firefly.

Table 3: Address Books and Address Sets Support

JunosV FireflyFeature

YesAddress books

YesAddress sets

YesGlobal address objects or sets

YesNested address groups

Administrator Authentication

Junos OS supports three methods of administrator authentication:

• Local password authentication

• RADIUS

• TACACS+

With local password authentication, you configure a password for each user who is

allowed to log in to the device.

RADIUS and TACACS+ are authentication methods for validating users who attempt to

access the device using Telnet, SSH, or other administrativemeans. Both are distributed

client/server systems—the RADIUS and TACACS+ clients run on the device, and the

server runs on a remote network system.


Chapter 2: Feature Support Tables

Table 4 on page 8 lists the administrator authentication features that are supported on

JunosV Firefly.

Table 4: Administrator Authentication Support


YesLocal authentication

YesRADIUS

YesTACACS+

Alarms

Junos OS supports three types of alarms:

• Chassis alarms indicatea failureon thedeviceor oneof its components. Chassis alarms

are preset and cannot bemodified.

• Interfacealarms indicateaproblem in thestateof thephysical linkson fixedor installed

PIMs. To enable interface alarms, youmust configure them.

• Systemalarms indicateamissing rescueconfigurationor software license,where valid.

System alarms are preset and cannot bemodified, although you can configure them

to appear automatically in the J-Web or CLI display.

Table 5 on page 8 lists the alarm features that are supported on JunosV Firefly.

Table 5: Alarm Support


YesChassis alarms

YesInterface alarms

YesSystem alarms

Application Layer Gateways

AnApplicationLayerGateway (ALG) isa softwarecomponent that isdesigned tomanage

specificprotocols suchasSession InitiationProtocol (SIP)or FileTransferProtocol (FTP)

on JunosVFirefly devices running JunosOS.TheALG interceptsandanalyzes the specified

traffic, allocates resources, and defines dynamic policies to permit the traffic to pass

securely through the JunosV Firefly. Also, ALGsmodify the embedded IP addresses as

required.



Table 6 on page 9 lists the ALG features that are supported on JunosV Firefly.

Table 6: ALG Support


YesDNS ALG

YesDNS doctoring support

NoDNS, FTP, RTSP, and TFTP ALGs (Layer 2) with chassis clustering

YesDSCPmarking for SIP, H.323, MGCP, and SCCP ALGs

YesFTP

YesH.323

YesAvaya H.323

YesIKE

YesMGCP

YesPPTP

YesRSH

YesRTSP

YesSCCP

YesSIP

YesSIP ALG–NEC

YesSQL

YesMS RPC

YesSUN RPC

YesTALK

YesTFTP



Attack Detection and Prevention

Attack detection and prevention detects and prevents attacks in network traffic. An

exploit canbeeitheran information-gatheringprobeoranattack tocompromise, disable,

or harm a network, network resource, clients or servers.

Juniper Networks provides various detection methods and defense mechanisms at the

zone and policy levels to combat exploits at all stages of their execution, including:

• Screen options at the zone level

• Firewall policies at the inter-, intra-, and super-zone policy levels (super-zone here

means in global policies, where no security zones are referenced)

Table 7 on page 10 lists the attack detection and prevention features that are supported

on JunosV Firefly.

Table 7: Attack Detection and Prevention Support


YesBad IP option

YesBlock fragment traffic

YesFIN flag without ACK flag set protection

YesICMP flood protection

YesICMP fragment protection

YesIP address spoof

YesIP address sweep

YesIP record route option

YesIP security option

YesIP stream option

YesIP strict source route option

YesIP timestamp option

YesLand attack protection

YesLarge size ICMP packet protection

YesLoose source route option



Table 7: Attack Detection and Prevention Support (continued)


YesPing of death attack protection

YesPort scan

YesSource IP-based session limit

YesSYN-ACK-ACK proxy protection

YesSYN and FIN flags set protection

YesSYN flood protection

YesSYN fragment protection

YesTCP address sweep

YesTCP packet without flag set protection

YesTeardrop attack protection

YesUDP address sweep

YesUDP flood protection

YesUnknown IP protocol protection

YesWhitelist for SYN flood screens

YesWinNuke attack protection

Autoinstallation

Autoinstallation provides automatic configuration for a new device that you connect to

the network and turn on, or for a device configured for autoinstallation. The

autoinstallation process begins any time a device is powered on and cannot locate a

valid configuration file in the disk. Typically, a configuration file is unavailable when a

device is powered on for the first time, or if the configuration file is deleted from the disk.

Theautoinstallation featureenables you todeploymultipledevices fromacentral location

in the network.



Class of Service

When a network experiences congestion and delay, some packets must be dropped.

Junos OS class of service (CoS) allows you to divide traffic into classes and offer various

levels of throughput and packet loss when congestion occurs. This allows packet loss

to happen according to the rules you configure.

Table 8 on page 12 lists the CoS features that are supported on JunosV Firefly.

Table 8: CoS Support


YesClassifiers

YesCode-point aliases

YesEgress interface shaping

YesForwarding classes

YesHigh-priority queue on Services Processing Card

YesIngress interface policer

YesSchedulers

YesSimple filters

YesTransmission queues

YesTunnels

NOTE: GRE and IP-IP tunnels only.

YesVirtual channels



Diagnostics Tools

JunosVFireflydevicessupportasuiteof J-WebtoolsandCLIoperationalmodecommands

for evaluating system health and performance. Diagnostics tools and commands test

the connectivity and reachability of hosts in the network.

Table9onpage 13 lists the featuresof thediagnostics tools that are supportedon JunosV

Firefly.

Table 9: Diagnostics Tools Support


YesCLI terminal

YesJ-Flow versions 5 and version 8

YesJ-Flow version 9

YesPing host

YesPing MPLS

YesTraceroute

YesPing Ethernet (CFM)

YesTraceroute Ethernet (CFM)

DNS Proxy

Adomain name service (DNS) proxy allows clients to use a device as aDNSproxy server.

Use of a DNS proxy improves domain lookup performance by caching previous lookups.

A typical DNS proxy processes DNS queries by issuing a new DNS resolution query to

each name server that it has detected until the hostname is resolved.

Table 10 on page 13 lists the DNS proxy features that are supported on JunosV Firefly.

Table 10: DNS Proxy Support


YesDNS proxy cache

YesDNS proxy with split DNS

YesDynamic DNS



Dynamic Host Configuration Protocol

Dynamic Host Configuration Protocol (DHCP) is based on BOOTP, a bootstrap protocol

that allows a client to discover its own IP address, the IP address of a server host, and

the nameof a bootstrap file. DHCP servers can handle requests fromBOOTP clients, but

provide additional capabilities beyond BOOTP, such as the automatic allocation of

reusable IP addresses and additional configuration options.

DHCP provides two primary functions:

• Allocate temporary or permanent IP addresses to clients.

• Store, manage, and provide client configuration parameters.

Table 11 on page 14 lists the DHCP features that are supported on JunosV Firefly.

Table 11: DHCP Support


NoDHCPv6 client

YesDHCPv4 client

NoDHCPv6 relay agent

YesDHCPv4 relay agent

YesDHCPv6 server

YesDHCPv4 server

YesDHCP server address pools

YesDHCP server static mapping

Ethernet Link Aggregation

Link aggregation groups (LAGs) based on IEEE 802.3admake it possible to aggregate

physical interface links on a device. LAGs provide increased interface bandwidth and link

availability by linking physical ports and load-balancing traffic crossing the combined

interface.

TheLinkAggregationControlProtocol (LACP), asubcomponentof IEEE802.3ad,provides

additional functionality for LAGs. LACP is supported in standalone deployments, where

aggregatedEthernet interfacesare supported, and in chassis cluster deployments,where

aggregated Ethernet interfaces and redundant Ethernet interfaces are supported

simultaneously.

JunosV Firefly provides Ethernet Link Aggregation support in routing mode only.



Table 12 on page 15 lists the Ethernet link aggregation features that are supported on

JunosV Firefly.

Table 12: Ethernet Link Aggregation Support


Routingmode

NoLACP in chassis cluster pair

YesLACP in standalone device

YesLayer 3 LAG on routed ports

NoStatic LAG in chassis cluster mode

YesStatic LAG in standalonemode

Ethernet Link Fault Management

The Ethernet interfaces on the JunosV Firefly support the IEEE 802.3ah standard for

Operation,Administration, andMaintenance (OAM).ThestandarddefinesOAM link fault

management (LFM).

JunosV Firefly provides Ethernet Link Fault Management support in routing mode only.

Table 13 on page 15 lists the LFM features that are supported on JunosV Firefly in routing

mode.

Table 13: Ethernet Link Fault Management Support in RoutingMode


Interfaces supported:

NoLACP in chassis cluster pair

YesLACP in standalonemode

NoStatic LAG in chassis cluster mode

YesStatic LAG in standalonemode

Physical interface (encapsulations)

Noethernet-ccc

Noextended-vlan-ccc

Noethernet-tcc

Noextended-vlan-tcc



Table 13: Ethernet Link Fault Management Support in RoutingMode (continued)


Interface family

Yesinet

Yesmpls

Noccc

Notcc

Yesiso

Noethernet-switching

Yesinet6

Aggregated Ethernet interface:

YesStatic LAG

YesLACP enabled LAG

Interface family

Noethernet-switching

Yesinet

Yesinet6

Yesiso

Yesmpls



File Management

You can use the J-Web interface to perform routine file management operations such

as archiving log files and deleting unused log files, cleaning up temporary files and crash

files, and downloading log files from the routing platform to your computer. You can also

encrypt the configuration files with the CLI configuration editor to prevent unauthorized

users from viewing sensitive configuration information.

Table 14 on page 17 lists the file management features that are supported on JunosV

Firefly.

Table 14: File Management Support


YesClean up unnecessary files

YesDelete backup software image

YesDelete individual files

YesDownload system files

YesEncrypt/decrypt configuration files

YesManage account files

YesRescue

YesSystem snapshot

YesSystem zeroize

YesMonitor start

YesArchive files

YesCalculate checksum

YesCompare files

YesRename files



Firewall Authentication

Junos OS supports the following two types of firewall user authentication:

• Pass-through authentication—Ahost or a user fromone zone tries to access resources

on another zone. Youmust use an FTP, Telnet, or HTTP client to access the IP address

of the protected resource and to get authenticated by the firewall. The device uses

FTP, Telnet, or HTTP to collect username and password information. Subsequent

traffic from the user or host is allowed or denied based on the result of this

authentication.

• Web authentication—Users try to connect, using HTTP, to an IP address on the device

that is enabled forWeb authentication; in this scenario, you do not use HTTP to get to

the IP address of the protected resource. You are prompted for the username and

password that are verified by the device. Subsequent traffic from the user or host to

the protected resource is allowed or denied based on the result of this authentication.

Table 15 on page 18 lists firewall authentication features that are supported on JunosV

Firefly.

Table 15: Firewall Authentication Support


NoFirewall authentication on Layer 2 transparent authentication

YesLDAP authentication server

YesLocal authentication server

YesPass-through authentication

YesRADIUS authentication server

YesSecurID authentication server

YesWeb authentication

Flow-Based and Packet-Based Processing

A packet undergoes flow-based processing after any packet-based filters and policers

havebeenapplied to it. A flow is a streamof relatedpackets thatmeet the samematching

criteria and share the same characteristics. Junos OS treats packets belonging to the

same flow in the samemanner.

Apacketundergoespacket-basedprocessingwhen it is dequeued from its input (ingress)

interface and before it is enqueued on its output (egress) interface. Packet-based

processingapplies stateless firewall filters andclass-of-service (CoS) features todiscrete

packets. You can apply a firewall filter to an ingress or egress interface, or to both.



Table 16 on page 19 lists the flow-based and packet-based features that are supported

on JunosV Firefly.

Table 16: Flow-Based and Packet-Based Processing Support


YesAlarms and auditing

NoEnd-to-end packet debugging

YesFlow-based processing

NoNetwork processor bundling

YesPacket-based processing

YesSelective stateless packet-based services

Interfaces

All Juniper Networks devices use network interfaces to connect to other devices. Each

device interface has a unique name that follows a naming convention.

Youmustconfigureeachnetwork interfacebefore it canoperateon thedevice.Configuring

an interface can define both the physical properties of the link and the logical properties

of a logical interface on the link.

Table 17 on page 19 lists the features of the physical and virtual interfaces that are

supported on JunosV Firefly.

Table 17: Physical and Virtual Interface Support


YesEthernet interface

YesGigabit Ethernet interface

Table 18 on page 19 lists the features of the services that are supported on JunosV Firefly.

Table 18: Services Support


YesAggregated Ethernet interface

YesGRE interface

YesIEEE 802.1X dynamic VLAN assignment



Table 18: Services Support (continued)


YesIEEE 802.1X MAC bypass

YesIEEE 802.1X port-based authentication control withmultisupplicant support

NoInterleaving using MLFR

NoInternally configured interface used by the systemas a controlpath between theWXC Integrated Services Module and theRouting Engine

YesInternally generated GRE interface (gr-0/0/0)

YesInternally generated IP-over-IP interface (ip-0/0/0)

YesInternally generated link services interface

YesInternally generated Protocol Independent Multicastde-encapsulation interface

YesInternally generated Protocol Independent Multicastencapsulation interface

YesLink fragmentation and interleaving interface

YesLink services interface

YesLoopback interface

YesManagement interface

NoPPP interface

NoPPPoE-based radio-to-router protocol

NoPPPoE interface

Yes

NOTE: Promiscuousmodeneeds tobeenabledonhypervisor.

Promiscuous mode on interfaces

YesSecure tunnel interface



IP Monitoring

The IPmonitoring feature monitors IP addresses and enables the device to track the

reachability of a particular IP address. Existing real-time performancemonitoring (RPM)

probesare sent toan IPaddress tocheck for reachability. Eachprobed target ismonitored

over the course of a test. During a test, probes are generated and responses collected at

a rate defined by the probe interval, which is the number of seconds between probes.

Table 19 on page 21 lists the IP monitoring features that are supported on JunosV Firefly.

Table 19: IP Monitoring Support


YesIP monitoring with route failover (for standalone devices andredundant Ethernet interfaces)

YesIP monitoring with interface failover (for standalone devices)

IP Security

IP Security (IPsec) is a suite of related protocols for cryptographically securing

communications at the IP layer. IPsec also provides methods for the manual and

automaticnegotiationof securityassociations (SAs)andkeydistribution, all theattributes

that are gathered in a domain of interpretation (DOI). The IPsec DOI is a document

containing definitions for all the security parameters required for successful negotiation

of a VPN tunnel—essentially, all the attributes required for SA and Internet Key Exchange

(IKE) negotiations.

In Public Key Infrastructure (PKI), a public-private key pair is used to encrypt and decrypt

data. Data encrypted with a public key, which the owner makes available to the public,

can be decrypted with the corresponding private key only, which the owner keeps secret

and protected. The reverse process is also useful: encrypting data with a private key and

decrypting itwith the correspondingpublic key. This process is knownascreatingadigital

signature. A digital certificate is an electronic means for verifying your identity through a

trusted third party, known as a certificate authority (CA).

The dynamic VPN feature simplifies remote access by enabling users to establish IP

Security (IPsec) VPN tunnelswithout having tomanually configure VPN settings on their

Windows PCs or laptops. Instead, authenticated users can simply download the Access

ManagerWebclient to their computers. This Layer3 remoteaccessclientusesclient-side

configuration settings that it receives from the server to create andmanage a secure

end-to-site VPN tunnel to the server.



Table 20 on page 22 lists IPsec features that are supported on JunosV Firefly.

Table 20: IPsec Support


YesAcadia - Clientless VPN

YesAH protocol

YesAlarms and auditing

YesAntireplay (packet replay attack prevention)

YesAuthentication

YesAuthentication Header (AH)

YesAutokey management

YesAutomated certificate enrollment using SCEP

YesAutomatic generation of self-signed certificates

NoBridge domain and transparent mode

YesCertificate - Configure local certificate sent to peer

YesCertificate - Configure requested CA of peer certificate

YesCertificate - Encoding: PKCS7, X509, PEM, DERs

YesCertificate - RSA signature

NoChassis clusters (active/backup and active/active)

YesClass of service

YesCRL update at user-specified interval

YesConfig Mode (draft-dukes-ike-mode-cfg-03)

YesDead Peer Detection (DPD)

YesDiffie-Hellman (PFS) Group 1



YesDiffie-Hellman Group 1



Table 20: IPsec Support (continued)




YesDigital signature generation

YesDynamic IP address

YesDynamic IPsec VPNs

YesEncapsulating Security Payload (ESP) protocol

YesEncryption Algorithms 3DES

YesEncryption Algorithms AES 128, 192, and 256

YesEncryption Algorithms DES

YesEncryption Algorithms NULL (authentication only)

YesEntrust, Microsoft, and Verisign certificate authorities (CAs)

YesExternal Extended Authentication (Xauth) to a RADIUS serverfor remote access connections

NoGroup Encrypted Transport (GET VPN)

NoGroup VPNwith dynamic policies

YesHard lifetime limit

NoHardware IPSec (bulk crypto) Cavium/RMI

YesHash Algorithms MD5

YesHash Algorithms SHA-1

YesHash Algorithms SHA-2 (SHA-256)

YesHub & Spoke VPN

YesIdle timers for IKE

YesImprovements in VPN Debug Capabilities

YesInitial Contact





YesInvalid SPI response

YesIKE Diffie-Hellman Group 14 support

YesIKE Phase 1

YesIKE Phase 1 lifetime

YesIKE Phase 2

YesIKE Phase 2 lifesize

YesIKE and IPSEC pre-define proposal sets to work with DynamicVPN client

YesIPSec tunnel termination in routing-instances

YesIKE support

YesIKEv1

YesIKEv1 authentication, preshared key

YesIKEv2

YesLocal IP address Management - VPN XAuth support

YesLocal IP address Management Support for DVPN

YesManual installation of DER-encoded and PEM-encoded CRLs

YesManual key management

YesManual proxy-ID (Phase 2 ID) configuration

YesNHTB - Next Hop Tunnel Binding

YesNew IPSec Phase 2 Authentication Algorithm

YesOnline CRLretrieval through LDAP and HTTP

YesPackage dynamic VPN client

YesPolicy-based VPN

YesPreshared key (PSK)





YesPrioritization of IKE packet processing

YesReconnect to dead IKE peer

YesRemote Access

YesRemote Access user IKE peer

YesRemote Access user-group IKE peer - group IKE ID

YesRoute-based VPN

YesSHA-2 IPSec support

YesSoft lifetime

YesStatic IP address

YesSuites: Standard, Compatible, Basic, and custom-created

YesSupport forNHTBwhen thest0.x interface isbound toa routinginstance

YesSupport for Remote Access peers with shared IKE identity +mandatory XAuth

YesSupport group IKE IDs for Dynamic VPN configuration

YesTOS/DSCP honoring/coloring (inner/outer)

YesTunnel Mode with clear/copy/set Don't Fragment bit

NoUAC Layer 3 enforcement

YesVirtual router support for route-based VPNs

YesVPNmonitoring (proprietary)

YesX.509 encoding for IKE

YesXAuth (draft-beaulieu-ike-xauth-03)



IPv6 Support

IPv6 is the successor to IPv4. IPv6 builds upon the functionality of IPv4, providing

improvements to addressing, configuration andmaintenance, and security. These

improvements include:

• Expandedaddressingcapabilities—IPv6providesa largeraddressspace. IPv6addresses

consist of 128 bits, whereas IPv4 addresses consist of 32 bits.

• Header format simplification—IPv6 packet header format is designed to be efficient.

IPv6 standardizes the size of the packet header to 40 bytes, divided into 8 fields.

• Improved support for extensions and options—Extension headers carry Internet-layer

information and have a standard size and structure.

• Improved privacy and security—IPv6 supports extensions for authentication and data

integrity, which enhance privacy and security.

Table 21 on page 26 lists the IPv6 features that are supported on JunosV Firefly.

Table 21: IPv6 Support


Flow-based forwarding and security features

YesAdvanced flow

NoDS-Lite concentrator (aka AFTR)

NoDS-Lite initiator (aka B4)

YesFirewall filters

YesForwarding option: flowmode

YesMulticast flow

YesScreens

YesSecurity policy (firewall)

NoSecurity policy (IDP)

NoSecurity policy (user role firewall)

YesZones

YesIPv6 ALG support for FTP

Routing, NAT, NAT-PT support



Table 21: IPv6 Support (continued)


YesIPv6 ALG support for ICMP

Routing, NAT, NAT-PT support

YesIPv6 NAT

NAT-PT, NAT support

YesIPv6 NAT64

YesIPv6–related protocols

BFD, BGP, ECMPv6, ICMPv6, ND, OSPFv3, RIPng

YesIPv6 ALG support for TFTP

YesSystem services

DHCPv6, DNS, FTP, HTTP, ping, SNMP, SSH, syslog, Telnet,traceroute

Packet-based forwarding and security features

YesClass of service

YesFirewall filters

YesForwarding option: packet mode

IPv6 IP Security

IPv6 IP Security (IPsec) is the implementation of the IPsec suite of protocols in IPv6

networks. IPsecprovides interoperable, highquality, andcryptographicallybasedsecurity

services for traffic at the IP layer. In IPv6, IPsec enhances the original IP protocol by

providing authenticity, integrity, confidentiality, and access control to each IP packet

through theuseof twoprotocols: authenticationheader (AH)andEncapsulatingSecurity

Payload (ESP).

Table 22 on page 27 lists the IPv6 IPsec features that are supported on JunosV Firefly.

Table 22: IPv6 IP Security Support


Yes4in4 and 6in6 policy-based site-to-site VPN, AutoKey IKEv1

Yes4in4 and 6in6 policy-based site-to-site VPN, manual key

Yes4in4 and 6in6 route-based site-to-site VPN, AutoKey IKEv1

Yes4in4 and 6in6 route-based site-to-site VPN, manual key



Log File Formats

Junos OS generates separate log messages to record events that occur on the system’s

control and data planes. The control plane logs (called system logs) include events that

occur on the routing platform. The data plane logs (called security logs) primarily include

security events that the system has handled directly inside the data plane.

Table 23 on page 28 lists the system and security log file formats supported on JunosV

Firefly.

Table 23: Security Log File Formats


System (Control Plane) Log File Formats

NoBinary format (binary)

YesStructured syslog (sd-syslog)

YesSyslog (syslog)

NoWebTrends Enhanced Log Format (welf)

Security (Data Plane) Log File Formats

YesBinary format (binary)

YesStructured syslog (sd-syslog)

YesSyslog (syslog)

YesWebTrends Enhanced Log Format (welf)

MPLS

MPLS provides a framework for controlling traffic patterns across a network. The MPLS

framework allows JunosV Firefly to pass traffic through transit networks on paths that

are independent of the individual routing protocols enabled throughout the network.

The MPLS framework supports traffic engineering and the creation of virtual private

networks (VPNs). Traffic is engineered (controlled) primarily by the use of signaling

protocols to establish label-switched paths (LSPs). VPN support includes Layer 2 and

Layer 3 VPNs and Layer 2 circuits.



Table 24 on page 29 lists the MPLS features that are supported on JunosV Firefly.

Table 24: MPLS Feature Support


YesCCC and TCC

YesCLNS

YesInterprovider and carrier-of-carriers VPNs

YesLayer 2 VPNs for Ethernet connections

YesLayer 3 MPLS VPNs

YesLDP

YesMPLS VPNs with VRF tables on provider edge routers

YesMulticast VPNs

YesOSPF and IS-IS traffic engineering extensions

YesP2MP LSPs

YesRSVP

YesSecondary and standby LSPs

YesStandards-based fast reroute

NoVPLS

Multicast

Multicast traffic lies between the extremes of unicast (one source, one destination) and

broadcast (one source, all destinations). Multicast is a “one source, many destinations”

method of traffic distribution, meaning that only the destinations needing to receive the

information from a particular source receive the traffic stream.

IP network destinations (clients) do not often communicate directly with sources

(servers), so the routers between source and destination must be able to determine the

topology of the network from the unicast ormulticast perspective to avoid routing traffic

haphazardly. Themulticast router must find multicast sources on the network, send out

copies of packets on several interfaces, prevent routing loops, connect interested

destinationswith theproper source, andkeepthe flowofunwantedpackets toaminimum.

Standard multicast routing protocols provide most of these capabilities.



Table 25 on page 30 lists the multicast features that are supported on JunosV Firefly.

Table 25: Multicast Support


YesFiltering PIM register messages

YesIGMP

YesPIM RPF routing table

YesPrimary routingmode (densemode for LAN and sparsemodefor WAN)

YesProtocol Independent Multicast Static RP

YesSession Announcement Protocol (SAP)

YesSDP

Multicast VPN

MPLSmulticast VPNs employ the intra-autonomous system (AS) next-generation

(NGEN) BGP control plane and Protocol Independent Multicast (PIM) sparse mode as

the data plane.

A multicast VPN is defined by two sets of sites, a sender site set and a receiver site set.

These sites have the following properties:

• Hostswithin the sender site set canoriginatemulticast traffic for receivers in the receiver

site set.

• Receivers outside the receiver site set should not be able to receive this traffic.

• Hosts within the receiver site set can receive multicast traffic originated by any host in

the sender site set.

• Hostswithin the receiver site set shouldnotbeable to receivemulticast trafficoriginated

by any host that is not in the sender site set.

Table26onpage30 lists themulticastVPN features thatare supportedon JunosVFirefly.

Table 26: Multicast VPN Support


YesBasic multicast features in C-instance

YesMulticast VPNmembership discovery with BGP

YesP2MP LSP support



Table 26: Multicast VPN Support (continued)


YesP2MPOAM - P2MP LSP ping

YesReliable multicast VPN routing information exchange

Network Address Translation

Network Address Translation (NAT) is a method by which IP addresses in a packet are

mapped from one group to another and, optionally, port numbers in the packet are

translated into different port numbers.

NAT is described in RFC 3022 to solve IP (version 4) address depletion problems. Since

then, NAT has been found to be a useful tool for firewalls, traffic redirect, load sharing,

network migrations, hide topology, and so on.

Table 27 on page 31 lists the NAT features that are supported on JunosV Firefly.

Table 27: NAT Support


YesDestination IP address translation

YesDisabling source NAT port randomization

YesInterface source NAT pool port

YesNAT address pool utilization threshold status

YesNAT traversal (NAT-T) for site-to-site IPsec VPNs (IPv4)

YesPersistent NAT

YesPersistent NAT binding for wildcard ports

YesPersistent NAT hairpinning

YesMaximize persistent NAT bindings

YesPool translation

YesProxy ARP (IPv4)

YesProxy NDP (IPv6)

YesRemoving persistent NAT query bindings

YesRule-based NAT



Table 27: NAT Support (continued)


YesRule translation

YesSource address and group address translation for multicastflows

YesSource IP address translation

YesStatic NAT

Network Operations and Troubleshooting

You can use commit scripts, operation scripts, and event policies to automate network

operations and troubleshooting tasks. You can use commit scripts to enforce custom

configuration rules. You can use operation scripts to automate network management

and troubleshooting tasks. You can configure event policies that initiate self-diagnostic

actions on the occurrence of specific events.

Table 28 on page 32 lists the network operations features that are supported on JunosV

Firefly.

Table 28: Network Operations and Troubleshooting Support


YesEvent policies

YesEvent scripts

YesOperation scripts

YesXSLT commit scripts

Network Time Protocol

The Network Time Protocol (NTP) provides themechanisms for synchronizing time and

coordinating time distribution in a large, diverse network. NTP uses a returnable-time

design in which a distributed subnet of time servers operating in a self-organizing,

hierarchical primary-secondary configuration synchronizes local clockswithin the subnet

and to national time standards by means of wire or radio.



Packet Capture

Packet capture is a tool that helps you analyze network traffic and troubleshoot network

problems. The packet capture tool captures real-time data packets, traveling over the

network, for monitoring and logging.

NOTE: Packet capture, in this context, refers to standard interface packetcapture. It is not part of the IDP. Packet capture is supported only on physicalinterfaces and tunnel interfaces; for example, gr, ip, st0, lsq-/ls-. Packetcapture is not supported on redundant Ethernet interfaces (reth).

Packets are captured as binary data, without modification. You can read the packet

information offline with a packet analyzer such as Ethereal or tcpdump.

Routing

Routing is the transmission of data packets from a source to a destination address. For

packets to be correctly forwarded to the appropriate host address, the host must have

auniquenumeric identifier or IPaddress. Theunique IPaddressof thedestinationprefixes

forms entries in the routing table. These entries are primarily responsible for determining

the path that a packet traverses when transmitted from source to destination.

Table 29 on page 33 lists the routing features that are supported on JunosV Firefly.

Table 29: Routing Support


YesBGP

YesBGP extensions for IPv6

YesCompressed Real-Time Transport Protocol (CRTP)

YesECMP flow-based forwarding

YesInternet Group Management Protocol (IGMP)

YesIPv4 options and broadcast Internet diagrams

YesIPv6 routing, forwarding, global address configuration, andInternet Control Message Protocol (ICMP)

YesIS-IS

YesMultiple virtual routers

YesNeighbor Discovery Protocol and Secure Neighbor DiscoveryProtocol



Table 29: Routing Support (continued)


YesOSPF v2

YesOSPF v3

YesRIP next generation (RIPng)

YesRIP v1, v2

YesStatic routing

YesVirtual Router Redundancy Protocol (VRRP)

SecureWeb Access

You canmanage a Juniper Networks device remotely through the J-Web interface. To

communicate with the device, the J-Web interface uses the Hypertext Transfer Protocol

(HTTP). HTTP allows easyWeb access but no encryption. The data that is transmitted

between theWebbrowser and thedevice bymeansofHTTP is vulnerable to interception

andattack.Toenable secureWebaccess, the JuniperNetworksdevices supportHypertext

Transfer Protocol over Secure Sockets Layer (HTTPS). You can enable HTTP or HTTPS

access on specific interfaces and ports as needed.

Table 30 on page 34 lists the secure web access features that are supported on JunosV

Firefly.

Table 30: SecureWeb Access Support


YesCAs

YesHTTP

YesHTTPS

Security Policy Support

With the advent of the Internet, the need for a secure network has become vital for

businesses with an Internet connection. Before a network can be secured for a business,

a network security policy has to outline all the network resources within that business

and identify the required security level for those resources. The network security policy

also defines the security threats and the actions taken for such threats. JunosOSstateful

firewall policy provides a set of tools to network administrators, enabling them to

implement network security for their organizations. Global policies allow you to regulate

traffic with addresses and applications, regardless of their security zones.



Table 31 on page 35 lists the security policy features that are supported on JunosV Firefly.

Table 31: Security Policy


YesAddress books/Address sets

YesCustom policy applications

YesGlobal Policy

YesPolicy application timeouts

YesPolicy applications and application sets

YesPolicy hit-count tracking

YesSchedulers

YesSecurity policies for self-traffic

NoSSL proxy

NoUser role firewall

YesCommon predefined applications

YesShadow policy

Security Zone

A security zone is:

• A collection of one or more network segments requiring the regulation of inbound and

outbound traffic through policies

• A group of networks that follow the same security principles

• A group of logical entities to which one or more interfaces are bound

On a single device, you can configure multiple security zones, dividing the network into

segments to which you can apply various security options to satisfy the needs of each

segment. At a minimum, youmust define two security zones, basically to protect one

area of the network from the other.

Table 32 on page 36 lists the zones supported on JunosV Firefly.



Table 32: Zones Support


YesFunctional zone

YesSecurity zone

Session Logging

You can obtain information about the sessions and packet flows active on your device,

including detailed information about specific sessions. You can display this information

to observe activity and for debugging purposes.

Table 33 on page 36 lists the session logging features that are supported on JunosV

Firefly.

Table 33: Session Logging Support


YesAccelerating security and traffic logging

YesAggressive session aging

YesGetting information about sessions

YesLogging to a single server

YesSession logging with NAT information

SMTP

SMTP is used for sending e-mail messages between servers. SMTP can be used to send

an e-mail message to a local or a remote mail server to forward an e-mail message.

While electronic mail servers use SMTP to send and receive mail messages, user-level

client mail applications typically use SMTP only for sending messages to amail server

for relaying. For receiving messages, client applications usually use either Post Office

Protocol (POP) or Internet Message Access Protocol (IMAP).

SNMP

SNMP enables the monitoring of network devices from a central location. Use SNMP to

determine where and when a network failure is occurring, and to gather statistics about

network performance to evaluate the overall health of the network and identify

bottlenecks.

SNMP v1, v2, and v3 are supported on JunosV Firefly.



Stateless Firewall Filters

A stateless firewall filter evaluates the contents of packets transiting the device from a

source to a destination, or the contents of packets originating from, or destined for, the

Routing Engine. Stateless firewall filters applied to the Routing Engine interface protect

the processes and resources owned by the Routing Engine. A stateless firewall filter

evaluates every packet, including fragmented packets.

A stateless firewall filter, often called a firewall filter or access control list (ACL), statically

evaluates packet contents. In contrast, a stateful firewall filter uses connection state

information derived frompast communications and other applications tomake dynamic

control decisions.

Table 34 on page 37 lists the features of stateless firewall filters that are supported on

JunosV Firefly.

Table 34: Stateless Firewall Filters Support


YesStateless firewall filters (ACLs)

NoStateless firewall filters (simple filter)

System Log Files

JunosOSsupports configuringandmonitoringof system logmessages (alsocalled syslog

messages). You can configure files to log systemmessages and also assign attributes,

suchas severity levels, tomessages. TheViewEventspage in the J-Web interfaceenables

you to filter and view system logmessages.

Table 35 on page 37 lists the features of system log files that are supported on JunosV

Firefly.

Table 35: System Log Files Support


YesArchiving system logs

YesConfiguring system logmessages

YesDisabling system logs

YesFiltering system logmessages

YesMultiple system log servers (control-plane logs)

YesSending system logmessages to a file



Table 35: System Log Files Support (continued)


YesSending system logmessages to a user terminal

YesViewing data plane logs

YesViewing system logmessages

Upgrading and Rebooting

When you power on the JunosV Firefly VM, it starts (boots up) using its primary boot

device. As new features and software fixes become available, youmust upgrade your

software to use them. Before an upgrade, we recommend that you back up your primary

boot device.

You can configure the primary boot device with a snapshot of the current configuration,

default factory configuration, or rescue configuration. You can also replicate the

configuration for use on another device, or configure a boot device to receive core files

for troubleshooting.

Table 36 on page 38 lists the upgrading and rebooting features that are supported on

JunosV Firefly.

Table 36: Upgrading and Rebooting Support


YesAutorecovery

YesBoot device configuration

YesBoot device recovery

YesChassis components control

YesChassis restart

YesDownloadmanager

NoDual-root partitioning

NoIn-band cluster upgrade

NoLow-impact cluster upgrades

YesSoftware upgrades and downgrades



User Interfaces

You can use two user interfaces to monitor, configure, troubleshoot, andmanage your

device—the command-line interface (CLI) for Junos OS and the J-Web interface.

The Junos OS CLI is the software interface you use to access a device running Junos

OS—whether from the console or through a network connection. By leveraging

industry-standard tools and utilities, the CLI provides a powerful set of commands that

you can use to monitor and configure devices running Junos OS.

The J-Web interface allows you to monitor, configure, troubleshoot, andmanage the

routing platform bymeans of aWeb browser enabled with Hypertext Transfer Protocol

(HTTP) or HTTP over Secure Sockets Layer (HTTPS). J-Web provides access to all the

configuration statements supported by the routing platform, so you can fully configure

your device without using the Junos OS CLI.

Table 37 on page 39 lists the user interface features that are supported on JunosV Firefly.

Table 37: User Interfaces Support


YesCLI

YesJ-Web user interface

YesJunos XML protocol

NoNetwork and Security Manager

YesJunos Space SD

NoSRC application



CHAPTER 3

Feature Support Information

JunosV Firefly inherits many features from the SRX Series product line. However, there

are certain features that might not be directly applicable in a virtualized environment,

and such SRX Series features have been excluded from the JunosV Firefly product line.

The following table lists some of the SRX Series product line features that are not

supported on JunosV Firefly as of Junos OS Release 12.1X44-D20.

NOTE: For the support information on features that are not listed in any ofthe tables in this guide, or for feature roadmap details, contact your JuniperNetworks representative.

Table 38 on page 41 lists the features that are not supported on JunosV Firefly.

Table 38: JunosV Firefly Feature Support Information


NoApplication Identification (Junos OS)

NoAuthentication with IC Series Devices

NoChassis Cluster and Chassis Management

NoGeneral Packet Radio Service

NoIntrusion Detection and Prevention

NoLayer 2 Mode

NoLogical Systems

NoPower over Ethernet

NoPublic Key Infrastructure

NoRemote Device Access

NoRoute Reflector


Table 38: JunosV Firefly Feature Support Information (continued)


NoRPM Probe

NoServices Offloading

NoTransparent Mode

NoUnified Threat Management

NoUSBModem

NoVirtual Private LAN Service

NoVoice over Internet Protocol with Avaya

NoWireless Local Area Network



PART 2

Index

• Index on page 45


Index

Symbols#, comments in configuration statements....................vii

( ), in syntax descriptions......................................................vii

< >, in syntax descriptions....................................................vii

[ ], in configuration statements..........................................vii

{ }, in configuration statements.........................................vii

| (pipe), in syntax descriptions...........................................vii

Aaddress book...............................................................................7

support table......................................................................7

administrator authentication................................................7

support table......................................................................7

alarms............................................................................................8

support tables...................................................................8

ALG See Application Layer Gateway

Application Layer Gateway...................................................8

support table......................................................................8

autoinstallation..........................................................................11

support table.....................................................................11

Bbraces, in configuration statements.................................vii

brackets

angle, in syntax descriptions.......................................vii

square, in configuration statements........................vii

Cclass of service..........................................................................12

support table....................................................................12

comments, in configuration statements........................vii

conventions

notice icons........................................................................vi

text and syntax.................................................................vi

CoS See class of service

curly braces, in configuration statements......................vii

customer support...................................................................viii

contacting JTAC..............................................................viii

DDHCP See Dynamic Host Configuration Protocol

documentation

comments on...................................................................vii

Dynamic Host Configuration Protocol.............................14

support table....................................................................14

EEthernet link aggregation......................................................14

support table....................................................................14

Ethernet link fault management........................................15

support table....................................................................15

Ffile format

security logs.....................................................................28

file management......................................................................17

support table.....................................................................17

firewall authentication..........................................................18

support table....................................................................18

firewall filters

stateless.............................................................................37

flow-based and packet-based processing....................18

support table....................................................................18

font conventions.......................................................................vi

Iinterfaces....................................................................................19

support table....................................................................19

user......................................................................................39

IP monitoring..............................................................................21

redundant Ethernet interface.....................................21

standalone device...........................................................21

IPsec..............................................................................................21

support table....................................................................21

IPv6..............................................................................................26

support table...................................................................26

IPv6 IP Security........................................................................27

support table....................................................................27

Llogging

sessions.............................................................................36

Mmanuals

comments on...................................................................vii

MPLS...........................................................................................28

multicast....................................................................................29

support table...................................................................29

multicast VPN..........................................................................30


NNAT See Network Address Translation

Network Address Translation..............................................31

support table....................................................................31

network operations and troubleshooting......................32

support table...................................................................32

Network Time Protocol.........................................................32

support table...................................................................32

notice icons.................................................................................vi

NTP See Network Time Protocol

Ppacket capture.........................................................................33

support table...................................................................33

See also flow-based and packet-based

processing

parentheses, in syntax descriptions.................................vii

policy

security...............................................................................34

Rrouting.........................................................................................33

support table...................................................................33

Ssecure web access.................................................................34

support table...................................................................34

security log file format..........................................................28

security policy..........................................................................34

support table...................................................................34

session logging........................................................................36

SMTP...........................................................................................36

support table...................................................................36

SNMP..........................................................................................36

support table...................................................................36

stateless firewall filter...........................................................37

support table....................................................................37

support, technical See technical support

syntax conventions..................................................................vi

system log file...........................................................................37

support table....................................................................37

Ttechnical support

contacting JTAC..............................................................viii

troubleshooting

feature support...............................................................32

Uupgrading and rebooting.....................................................38

support table...................................................................38

user interfaces..........................................................................39

support table...................................................................39

Vvirtual private network

multicast...........................................................................30

VPN See virtual private network

multicast...........................................................................30

Zzones............................................................................................35

support table...................................................................35



Junosv Firefly Feature Support Guide Controlled Release

Documents

Transcript of Junosv Firefly Feature Support Guide Controlled Release