Juniper Next-Gen SASE Firewall -BYOL

vSRX is a Virtual Security appliance that provides security and networking services at the perimeter in private or public cloud.

Juniper Networks
Third Party
Date of last update: 03/18/2025
Docs
Get help
Readme file
Release notes
Change notices
Product version
23.2.2
Breaking changes
EVPN Type 5 - Native Support
Starting in Junos OS Release 22.4R1, you can configure pure Type 5 routes in an Ethernet VPN–Virtual Extensible LAN (EVPN-VXLAN) environment. These devices use EVPN Type 5 routes to advertise IP prefixes for inter-subnet connectivity within and across data centers.

Source NAT port overload
Starting in Junos OS Release 22.4R1, We’ve updated the hash algorithm to allow for improved distribution of network traffic, when using the port overloading capability. Enabling better utilization per IP, as appropriate to the type of network traffic.
The hash algorithm uses the reverse traffic from the server, matches the existing sessions, and reuses the same Network Address Translation (NAT) resources.
You can configure the updated hash algorithm using the enhanced-port-overloading-algorithm statement at the [security nat source pool pool-name port] and [security nat source interface] hierarchy levels.

New features
Dynamic routing protocol support for IPsec VPN in Multinode High Availability
Starting in Junos OS Release 23.2R1, you can enable dynamic routing protocols for IPsec VPN in a Multinode High Availability setup by configuring node-local tunnels.
To configure node-local tunnels, you must specify the set security ike gateway node-local statement in the IKE gateway configuration on both the SRX Series Firewalls in a Multinode High Availability setup.
With dynamic routing protocols, you can add and remove IP prefixes in the network and automatically redistribute the prefixes to the network peers without changing the traffic selector configuration.

JIMS support Junos PKI infrastructure
Starting in Junos OS Release 23.2R1, you configure ca-profile under set security pki and assign ca-profile under JIMS by using ca-profile option at the edit services user-identification identity-management connection (primary | secondary) hierarchy level. You can perform CRL and OCSP checks based on settings under set security pki for the corresponding ca-profile.
With the introduction of a new ca-profile, we will deprecate the existing ca-certificate option at the edit services user-identification identity-management connection (primary | secondary) hierarchy level.

Support to delete a single country code from GeoIP-based dynamic addresses
Starting in Junos OS Release 23.2R1, you can delete a single country code from an IP-based geolocation (GeoIP)–Dynamic Address Entry (DAE) configuration.
In previous releases, when you delete a single country code from a GeoIP DAE, the SRX Series Firewall deletes all the country names, and then adds them back except the country code that you deleted. Now, you can use the same command to delete the country code. The SRX Series Firewall deletes the IP ranges related to the given country code only, without affecting the IP ranges of other countries.
We've also updated the show security dynamic-address command to display the country code appended to the IP-based geolocation name.

Support for dynamic update of trusted CA bundle
Starting in Junos OS Release 23.2R1, we support the dynamic update of default trusted CA certificates. With this feature, you have the latest list of default trusted CA certificates on Junos OS devices. You can easily download, install, and update the certificate bundle periodically.

Support for intelligent Web filtering profile selection
Starting in Junos OS Release 23.2R1, dynamic app information from Juniper Networks Deep Packet Inspection (JDPI) is used to retrieve policy information before the final policy match occurs. The Web filter profile is updated again after the final policy selection, based on the final application match.
The Content Security profile that is retrieved based on the dynamic app information is more accurate than applying the default profile, which was the earlier approach.

Updates
What has changed in 23.2R2-S1
https://www.juniper.net/documentation/us/en/software/junos/release-notes/23.2/junos-release-notes-23.2r1/topics/what-changed/vsrx-what-change-cover.html

Type

Server Image

Provider

Juniper Networks

Last updated

03/18/2025

Change notices

Product version

23.2.2

Breaking changes

EVPN Type 5 - Native Support

Starting in Junos OS Release 22.4R1, you can configure pure Type 5 routes in an Ethernet VPN–Virtual Extensible LAN (EVPN-VXLAN) environment. These devices use EVPN Type 5 routes to advertise IP prefixes for inter-subnet connectivity within and across data centers.

Source NAT port overload

Starting in Junos OS Release 22.4R1, We’ve updated the hash algorithm to allow for improved distribution of network traffic, when using the port overloading capability. Enabling better utilization per IP, as appropriate to the type of network traffic.
The hash algorithm uses the reverse traffic from the server, matches the existing sessions, and reuses the same Network Address Translation (NAT) resources.
You can configure the updated hash algorithm using the enhanced-port-overloading-algorithm statement at the [security nat source pool pool-name port] and [security nat source interface] hierarchy levels.

New features

Dynamic routing protocol support for IPsec VPN in Multinode High Availability

Starting in Junos OS Release 23.2R1, you can enable dynamic routing protocols for IPsec VPN in a Multinode High Availability setup by configuring node-local tunnels.
To configure node-local tunnels, you must specify the set security ike gateway node-local statement in the IKE gateway configuration on both the SRX Series Firewalls in a Multinode High Availability setup.
With dynamic routing protocols, you can add and remove IP prefixes in the network and automatically redistribute the prefixes to the network peers without changing the traffic selector configuration.

JIMS support Junos PKI infrastructure

Starting in Junos OS Release 23.2R1, you configure ca-profile under set security pki and assign ca-profile under JIMS by using ca-profile option at the edit services user-identification identity-management connection (primary | secondary) hierarchy level. You can perform CRL and OCSP checks based on settings under set security pki for the corresponding ca-profile.
With the introduction of a new ca-profile, we will deprecate the existing ca-certificate option at the edit services user-identification identity-management connection (primary | secondary) hierarchy level.

Support to delete a single country code from GeoIP-based dynamic addresses

Starting in Junos OS Release 23.2R1, you can delete a single country code from an IP-based geolocation (GeoIP)–Dynamic Address Entry (DAE) configuration.
In previous releases, when you delete a single country code from a GeoIP DAE, the SRX Series Firewall deletes all the country names, and then adds them back except the country code that you deleted. Now, you can use the same command to delete the country code. The SRX Series Firewall deletes the IP ranges related to the given country code only, without affecting the IP ranges of other countries.
We've also updated the show security dynamic-address command to display the country code appended to the IP-based geolocation name.

Support for dynamic update of trusted CA bundle

Starting in Junos OS Release 23.2R1, we support the dynamic update of default trusted CA certificates. With this feature, you have the latest list of default trusted CA certificates on Junos OS devices. You can easily download, install, and update the certificate bundle periodically.

Support for intelligent Web filtering profile selection

Starting in Junos OS Release 23.2R1, dynamic app information from Juniper Networks Deep Packet Inspection (JDPI) is used to retrieve policy information before the final policy match occurs. The Web filter profile is updated again after the final policy selection, based on the final application match.
The Content Security profile that is retrieved based on the dynamic app information is more accurate than applying the default profile, which was the earlier approach.

Updates

What has changed in 23.2R2-S1

https://www.juniper.net/documentation/us/en/software/junos/release-notes/23.2/junos-release-notes-23.2r1/topics/what-changed/vsrx-what-change-cover.html

Content source URL

Virtual private cloud (x86)

Select a delivery method

Server Image

Select product version

Summary

The vSRX Virtual Firewall provides you with a complete Next-Generation Firewall (NGFW) solution, including core firewall, VPN, NAT, advanced Layer 4 through Layer 7 security services such as Application Security, intrusion detection and prevention (IPS), and Content Security features including Enhanced Web Filtering and Anti-Virus. Combined with ATP Cloud, the vSRX Virtual Firewall offers a cloud-based advanced anti-malware service with dynamic analysis to protect against sophisticated malware, and provides built-in machine learning to improve verdict efficacy and decrease time to remediation.

Features and capabilities

Content filtering

Effective inbound and outbound content filtering based on MIME type, file extension, and protocol commands

Web filtering

Enhanced Web filtering, including extensive category options (90+ categories) and a real-time scorecard

Antivirus

Reputation-enhanced, cloud-based antivirus capabilities that detect and block spyware, adware, viruses, keyloggers, and other malware

Antispam

Multilayered spam protection, up-to-date phishing URL detection, standardsbased S/MIME, Open PGP and TLS encryption, and MIME

Getting support

This field is required. Describe the support you provide for your product and add additional information that isn't provided in the other fields.

If you're experiencing issues with this product, use the following support information.

Site	https://apps.juniper.net/home/vsrx/support
Phone number	+1- 888-314-5822 Support availability 24 hours / 7 days a week Estimated Response Time 1 hour
Support locations	Support locations refer to all of the countries in which product support teams are located. United States

Contact
You must wait 1 hour after you contact this product's support before you can begin the escalation process.
Escalation Contact
+1- 888-314-5822
Estimated Response Time
1 hour

Contact	You must wait 1 hour after you contact this product's support before you can begin the escalation process. Escalation Contact +1- 888-314-5822 Estimated Response Time 1 hour

Summary

Juniper Next-Gen SASE Firewall -BYOL

Deployment target: Virtual private cloud (x86)
Delivery method: Server Image

Already have an account? Log in