SRX Services Gateway
Highlighted
SRX Services Gateway

Junos® OS 11.4 Release notes have been posted for SRX

‎11-21-2011 08:36 AM
16 REPLIES 16
Highlighted
SRX Services Gateway

Re: Junos® OS 11.4 Release notes have been posted for SRX

‎11-21-2011 10:39 AM

Does this read like AppSecure is officially supported on Branch now?  Not just as an early trial

Highlighted
SRX Services Gateway

Re: Junos® OS 11.4 Release notes have been posted for SRX

‎11-21-2011 10:45 AM

You could have taken 10 seconds to open the link but here so others don't ask:

 

http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/release-notes...

 

AppSecure

Applications Groups—This feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.

Application group support for application firewall (AppFW)—This feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.

Highlighted
SRX Services Gateway

Re: Junos® OS 11.4 Release notes have been posted for SRX

‎11-21-2011 10:49 AM

Having a bad day? Relax.

 

I did open it.  which is why I wrote does it read like its supported.  The other release notes(11.2) had the same stuff but it turns out it wasnt actually supported.  These notes dont explicitly say its supported it just talks about new added features.  You would think they would include a phrase like " Hey its now offically supported" and not just talk about support for some features of AppSecure. 

 

Highlighted
SRX Services Gateway

Re: Junos® OS 11.4 Release notes have been posted for SRX

[ Edited ]
‎11-21-2011 10:59 AM

11.4 release notes break out sections showing branch and high end support changes

11.3 does not list any change (mostly an EX release with some common platform notes)

11.2 clearly lists only the high end units as supported.

 

I actually don't find it that unclear.... hence my response... Also there seem to be a lot of admins that fail to read the release notes before upgrading between major releases, so it is a little bit of a pet peeve for me. Nothing personal.

Highlighted
SRX Services Gateway

Re: Junos® OS 11.4 Release notes have been posted for SRX

‎11-21-2011 11:18 AM

So will 11.4 eventually become the new recommended release to finally replace 10.4?

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Highlighted
SRX Services Gateway

Re: Junos® OS 11.4 Release notes have been posted for SRX

‎11-21-2011 01:38 PM

I am just a user like you... However the JUNOS release schedule / new version numbering stipulates that 11.4 will be an Extended End of Life release so if the r1 release does not become recommended I would expect a r2 or r3 version of it to become recommended.

 

Also JUNIPER rarely updates the recomended release list until after all or most of the following happen:

- NSM has been updated to support the release

- the new release has at least gone two or so weeks in the wild without customers reporting new critical issues

Highlighted
SRX Services Gateway

Re: Junos® OS 11.4 Release notes have been posted for SRX

‎11-21-2011 04:30 PM

You need to get to the right section in the release notes (D'oh!)

 

 

---

Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers

AppSecure

  • Junos OS application identification

    When you create custom application or nested application signatures for Junos OS application identification, the order value must be unique among all predefined and custom application signatures. The order value determines the application matching priority of the application signature.

    The order value is set with the set services application-identification application application-name signature order command. You can also view all signature order values by entering the show services application-identification | display set | match order command. You will need to change the order number of the custom signature if it conflicts with another application signature.

  • J-Web pages for AppSecure are preliminary.
  • Custom application signatures and custom nested application signatures are not currently supported by J-Web.
  • AppFW does not operate on ALG data sessions. As a result, the AppFW rules are not applicable to these sessions. Therefore, ALG data sessions are excluded from AppFW counters.
  • AppSecure (AppTrack and AppFW) on the SRX100, SRX210, SRX220, SRX240, and SRX650 devices is available through a controlled (EFT – Early Field Trial) release.
Highlighted
SRX Services Gateway

Re: Junos® OS 11.4 Release notes have been posted for SRX

‎11-21-2011 04:31 PM

BTW, the main reason it's still EFT is that J-Web support still isn't complete, and that's deemed critical for full support in branch.

Highlighted
SRX Services Gateway

Re: Junos® OS 11.4 Release notes have been posted for SRX

‎11-21-2011 06:11 PM

Global address-book isn't supported in JWeb, and may not be until 12.x, so why isn't it referred to as "EFT" if JWeb is so critical?

Highlighted
SRX Services Gateway

Re: Junos® OS 11.4 Release notes have been posted for SRX

‎11-21-2011 06:17 PM

"main" != "only"...

Highlighted
SRX Services Gateway

Re: Junos® OS 11.4 Release notes have been posted for SRX

‎11-21-2011 06:18 PM
Thanks for the clear up KB_fan.

@SomeITGuy.....Guess it was not that clear eh....
Highlighted
SRX Services Gateway

Re: Junos® OS 11.4 Release notes have been posted for SRX

‎11-22-2011 05:01 AM

I really don't get these things. You offer new features, yet you don't complete them. New feature here, other aspect of the machine doesn't support the feature (e.g. you release AppSecure but your very own Web Interface doesn't handle it). 

 

So does that mean 11.4 is a beta release.

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Highlighted
SRX Services Gateway

Re: Junos® OS 11.4 Release notes have been posted for SRX

‎11-22-2011 09:34 AM

@Magraw wrote:
Thanks for the clear up KB_fan.

@SomeITGuy.....Guess it was not that clear eh....

You got me there... but so did juniper.

 

Sorry for being snappy....

Highlighted
SRX Services Gateway

Re: Junos® OS 11.4 Release notes have been posted for SRX

[ Edited ]
‎11-22-2011 11:53 AM

@Itguy: I'd say it's a matter of resource allocation, and customer demand. To call 11.4 "beta" because appsecure is in early field trial is a bit harsh. Those customers that need to see appsecure can do so. Those that would rather see it fully supported in J-Web first can hold off. I'd say that beats waiting for another quarter or two for the feature.

 

You find this all over the industry. Should the EX4500 not have been released because it didn't have VC capability out of the gate? What about dot1x, which is still missing? Where do you draw the line?  Should the lack of DAC 5m support have delayed the introduction of the entire 10G product line?

 

At what point is a product "feature-complete" enough for release?

 

I'd argue at the point where it can bring real value to a significant number of customers. As the product matures, it'll bring value to more situations and more customers.

 

Highlighted
SRX Services Gateway

Re: Junos® OS 11.4 Release notes have been posted for SRX

‎11-22-2011 12:28 PM

@tbehrens wrote:

@itguy: I'd say it's a matter of resource allocation, and customer demand. To call 11.4 "beta" because appsecure is in early field trial is a bit harsh. Those customers that need to see appsecure can do so. Those that would rather see it fully supported in J-Web first can hold off. I'd say that beats waiting for another quarter or two for the feature.

 

You find this all over the industry. Should the EX4500 not have been released because it didn't have VC capability out of the gate? What about dot1x, which is still missing? Where do you draw the line?  Should the lack of DAC 5m support have delayed the introduction of the entire 10G product line?

 

At what point is a product "feature-complete" enough for release?

 



If I were in Juniper's shoes, and given their history with the SRX so far (and the NSM disaster in this regards) I would be very careful releasing unfinished products.

 

Us in here probably don't care for J-Web at all but the "common customer" that I deal with on a daily basis will not understand why his new firewall has a ton of features here, but he can't use them there (e.g. he can't configure them using J-Web). A lot of customers I know come into the SRX with a background in SSGs. 

 

So to answer you question where I draw the line: I'll draw where a product looks like it's thrown on the market sooner than later and where you get half-baked features. Yes, AppSecure might be in there, but the management platform that are used by end users, namely NSM and J-Web, can't deal with these features. It's what I call lacking.

 

And it's really like a red thread running through the SRX history. The management side of things was always left behind. And Juniper needs to fix this, and bring both on par, rather then introducing new features. Make the basics work first. Make this product complete. Because it isn't.

 

Why the rush with AppSecure? Afraid of the competition (PAN)?

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Highlighted
SRX Services Gateway

Re: Junos® OS 11.4 Release notes have been posted for SRX

‎11-22-2011 01:36 PM

@crypto: I think you're hitting on some very legitimate concerns. J-Web. Central management. Stability. Feature parity with the rest of the market, specifically around application awareness and identity awareness.

 

I see Juniper moving on all of these fronts. Are they there yet? Decidedly not.

 

At the same time, I'd rather see progress now on the feature front. It allows me to position the SRX into more designs. Carefully, and with a full understanding of its shortcomings. Central management being a very prominent and painful one. At the same time, I don't see the progress on SPACE and NSM as having a direct impact on JunOS functionality and stability. I can get an early look at AppSecure and look forward  to improved central management. These are not mutually exclusive goals.

 

Your post could be interpreted as presenting a choice between improved central management and J-Web on the one hand, and additional SRX features on the other hand. If that was the choice you meant to present, I'd argue that that's a case of a "false dilemma". Both goals can be pursued at the same time.

 

Feedback