Errata

Junos Security

Errata for Junos Security

Submit your own errata for this product.

The errata list is a list of errors and their corrections that were found after the product was released.

The following errata were submitted by our customers and have not yet been approved or disproved by the author or editor. They solely represent the opinion of the customer.

Color Key: Serious technical mistake Minor technical mistake Language or formatting error Typo Question Note Update

Version Location Description Submitted by Date submitted
PDF Page 1
Chapter 1 page 16

"We will discuss the screen feature in detail in Chapter 6." should be "We will discuss the screen feature in detail in Chapter 7."

 Anonymous  Aug 20, 2012 
Printed Page 156
Bottom paragraph

The policy zone match stated for the policy is trust > web-dmz but this should be trust > trust, since the example on the previous pages uses an incorrect route lookup which matches ge-0/0/0.0 as the outbound interface.

 Will Embrey  Oct 12, 2014 
PDF Page 187
near bottom of page

I believe the policy permit-to-internet-any that is designed to allow dept_b_users to access the internet would also give them full access to the mail server in the next policy (permit_b_to_mail).

This policy would work because mail traffic would be allowed but, it seems to me like it would also allow other traffic from Department B which is in compliance with the stated goal but, the policies seem to suggest that restricting traffic from Department B is the goal.

 Jerry Shenk  Nov 22, 2016 
PDF, Other Digital Version Page 221

Chapter 5: Network Address Translation. Source NAT

james@SRX5800-1# show | compare

+ rule phypoolNAT {
+ match {
+ source-address 198.18.11.0/24;
+ }

--
should be:

+ rule phypoolNAT {
+ match {
+ source-address 10.2.0.0/16;
+ }

 Duso  Oct 17, 2010 
Printed Page 242
2nd Paragraph

"1.1.1.0/24" --> "198.18.31.0/24"

All 5 references in this paragraph to "1.1.1" should actually be "198.18.31" in keeping with the example provided on this page.

 Adam White  Apr 20, 2011 
Printed Page 255
2nb paragraph

"Secure Hash Algorithm 1 - 168 bit" should be "160 bit"

 Ryan Gao  May 08, 2022 
Printed Page 261
very bottom of the page

Main Mode
...when the IP address of the client is not fixed,


This should be

...when the IP address of the client is fixed or static

 Soon  Apr 07, 2011 
PDF Page 283
middle of remote office configuration

The "set" command is missing before the configuration of the encryption-algorithm configuration

 jerry shenk  Dec 12, 2016 
Printed, PDF Page 291
middle of page

After setting the interface for this ike gateway (Remote-Office3), the next command is "sec security...." The security option is not valid in the "edit security ike gateway Remote-Office3" section. I also found an error in the ...Office1 section.

My SRX is running 11.4R1.6

 Jerry Shenk  Jan 19, 2017 
Printed, PDF Page 291
middle of page

Update to prior entry:

Just add "top" to the beginning of the "set security..." command and it works.

 Jerry Shenk  Jan 19, 2017 
Other Digital Version 299
Last Show output

[edit security policies from-zone trust to-zone untrust policy
East-Branch-Inbound]
root@SRX5800# show
match {
source-address 192.168.1.0/24;
destination-address 10.0.0.0/8;
application junos-http;
}
then {
permit {
tunnel {
ipsec-vpn East-Branch;
pair-policy East-Branch-Outbound;
}
}
log {
session-close;
}
}

In the above from-zone trust to-zone untrust policy East-Branch-Inbound "match" is wrong, the match is meant for from-zone untrust to-zone trust East-Branch-Inbound

 Sagar  Oct 01, 2011 
Printed Page 350
.

Page 350 is saying:
"Since this is the first firewall filter you?ve seen in this book,
let?s go over the basics."

But you showed some firewall filters just few pages ago (page 344 and 345).

 Anonymous  Aug 05, 2011 
Printed Page 458
Top

The Checking IPS Status mentions two examples.

For the first example (Inactive IPS example), there is the corresponding SRX console output.

However, for the second example (Active IPS Policy), only the header is present, and all of the console output is missing.

 Diogo Monica  Apr 11, 2012 
PDF Page 496-497
Paragraph near bottom after code

Text on page 497:

"Here, access to http://www.thenewnetworkishere.com/us/en/new_network/ is allowed because the URL belongs to the whitelist, whereas access to any other URL in the http://www.thenewnetworkishere.com domain is denied."


The text is refering to URL's listed on page 496:

[edit security utm custom-objects]
set url-pattern allowed-urls value http://www.thenewnetworkishere.com
set url-pattern blocked-urls value
http://www.thenewnetworkishere.com/us/en/new_network/


The author has swapped this whitelist item with the blacklist item.

Should read:

[edit security utm custom-objects]
set url-pattern allowed-urls value
http://www.thenewnetworkishere.com/us/en/new_network/
set url-pattern blocked-urls value http://www.thenewnetworkishere.com

 Louis G  Feb 02, 2017 
Printed Page 542
4th Paragraph

The first sentence of the fourth paragraph reads: "As discussed throughput this book, ..."

I believe throughput is a typo, and is meant to read: "As discussed throughout this book, ..."

Very minor, but every bit helps!

 James Williams  Sep 05, 2013 
PDF Page 560
last paragraph

The matter discussed in this paragraph has already been covered on the preceding page, in the text box.

 perw07  Aug 23, 2010 
PDF Page 564
Last two paragraphs

These two paragrphs, and the next on the following page, were probably meant to show the output of a "show interfaces ......." command giving an example of increasing send and receive statistics. Now were are just given a copy of part of the configuration from the preceding page.

 perw07  Aug 23, 2010 
PDF Page 566
First paragraph

The line "fe-0/0/5;" should be indented to match the line above.

 perw07  Aug 23, 2010 
PDF Page 572
paragraph 5 from end

The content of the line containing "primary" should be aligned to the line below it.

 perw07  Aug 23, 2010 
Printed Page 603
3rd paragraph

Text states " As of Junos 10.2, it is possible to use dual fabric links on the branch SRX Series devices. Even if a control link and a fabric link were to fail, the last remaining control link would prevent split brain from occuring "

However, dual control links are not supported in branch SRX series ; Only dual fabric links.

Therefore, if a control link is to fail, does this mean that a fabric link converts to a control link to prevent split brain (it sure doesn't in practice) ?

Branch SRX will go split brain if the control link fails.

 Anonymous  Jan 26, 2011 
PDF Page 680
3rd paragraph from end

The text reads:

jamesq@SRX5800-1# show
term OrgXYZ {
from {
protocol rip;
route-filter 198.18.16.0/20 exact;
<snip>

although earlier (and later) what is implemented is not "rip" but "aggregate":

jamesq@SRX5800-1# set term OrgXYZ from protocol aggregate

 perw07  Aug 30, 2010 
Printed Page 757
2nd paragraph

In text:

get-interface-information

Should be:

get-software-information

 perw07  Aug 31, 2010