Errata

Juniper SRX Series

Errata for Juniper SRX Series

Submit your own errata for this product.

The errata list is a list of errors and their corrections that were found after the product was released.

The following errata were submitted by our customers and have not yet been approved or disproved by the author or editor. They solely represent the opinion of the customer.

Color Key: Serious technical mistake Minor technical mistake Language or formatting error Typo Question Note Update

Version Location Description Submitted by Date submitted
1
1st paragraph, 3rd sentence

Chapter 1, paragraph 1, 3rd sentence reads:

"Despite what some competitive marketing campaigns have said, the is not dead, and it is every bit as necessary today as it was yesterday."

Possibly meant:

"Despite what some competitive marketing campaigns have said, the FIREWALL is not dead, and it is every bit as necessary today as it was yesterday."

Anonymous  Jul 01, 2013 
Printed Page 1
1st paragraph, 3rd sentence, 9th word

"Despite what some competitive marketing campaigns have said, the is not dead,..."

What is not dead? There seems to be a missing noun.

C.J. Adams-Collier  May 30, 2014 
1
Routing Instances section in Safari Books Online edition missing chapter

The Routing Instnaces chapter indicates that Logical Systems is covered in its own chapter. There is no coverage of Ligical Systems in the book. This is a serious omission. The chapter doesn't exist.

Micah Cox  Oct 20, 2014 
2
4th paragraph

Page 2, pargraph 4 starts of:

The aged gracefully over time, but it hit some important limits that prevented it from being the choice for the next-generation SRX Series products.

Missing subject. What has aged gracefully? The ScreenOS?

Anonymous  Jul 01, 2013 
Printed Page 2
5th paragraph, 2nd word

"The aged gracefully over time..."

What aged gracefully over time? There seems to be a noun missing.

C.J. Adams-Collier  May 30, 2014 
PDF Page 7
1st Paragraph

It utilizes a WAN ports to connect directly to the Internet service provider (ISP).

I believe it should read as:

It utilizes WAN ports to connect directly to the Internet service provider (ISP)

--or--

It utilizes a WAN port to connect directly to the Internet service provider (ISP)

Anthony Burke  Apr 10, 2013 
PDF Page 167
2nd Paragraph

Since the release of the SRX Juniper has been moving the
majority of its services into any other routing instances but do to the nature of how Junos
shares its code with other platforms (such as MX or EX) a few services remain in the
master VR.


It should read "due to the nature of", not do.

Anthony Burke  Apr 10, 2013 
PDF Page 301
5th paragraph

Regarding the content:

"Second, the option to do commit confirmed
is no longer allowed, which, as you know, allows for a rollback to the previous configuration
if things go wrong. Both are very nice features that are not available when in
clustering mode. The reason these are disabled is simple: stability."

Actually, this commit confirmed feature was requested as an enhancement from my company and it was attended - I believe it was done after version 11.4. We are currently using the feature in my company.

Rodrigo Mello  Sep 29, 2013 
PDF Page 302
5th paragraph

Regarding the content:

"Second, the option to do commit confirmed
is no longer allowed, which, as you know, allows for a rollback to the previous configuration
if things go wrong. Both are very nice features that are not available when in
clustering mode. The reason these are disabled is simple: stability."

Actually, this commit confirmed feature was requested as an enhancement from my company and it was attended - I believe it was done after version 11.4. We are currently using the feature in my company.

Rodrigo Mello  Sep 29, 2013 
Printed Page 367
Diagram

If if if I am right then the diagram is supposed to be showing 2 SRX100 boxes being connected to 2 networks in an HA pair.

The networks are Trust reth0 should be and is 10.0.1.0/24 and reth1 should be and is Untrust 10.0.2.0/24.

So the config looks right but the diagram is showing both sets of interfaces as reth0 and 2 networks both called Trust.

Or am i going mad.

Can you confirm that i have got this right.

Thanks

Simon

(great book though)

Simon Fitzgerald  Sep 30, 2016 
Printed Page 383
5th paragraph

in the configuration of address book, the address book name should be "trust" not "global"

wrong statement:
#set security address-book global ....

correct statement :

#set security address-book trust....

Red1  Nov 24, 2013 
Printed Page 413
last paragraph

enabling ALG example is missing a keyword "enable" as below :

# set security alg sip enable

Red1  Nov 25, 2013 
Printed Page 509
Configuration output

In the previous pages (pg. 506-508), both destination and source NAT configuration statements are entered. However, only the destination NAT configuration is shown on pg. 509 in the output of "show security nat".

Anonymous  Dec 17, 2014 
PDF Page 519
First paragraph under Figure 11-2

Text reads:
"...whereas 25 would need to be maintained..."

Should read:
"...whereas 45 would need to be maintained..."

This is because the formula N(N-1)/2 in the example given would yield 10(10-1)/2 = 45

Adam White  May 14, 2013 
Printed Page 550
4th paragraph, Advanced Encryption Standard (AES)

"AES comes in different key bit lengths, most commonly 128, 256 and 384..."

384 bits is not a valid AES key length, this should read

"AES comes in different key bit lengths, most commonly 128, 192 and 256..."

Gavin Thirlwall  May 07, 2014 
PDF Page 610
Item 10

Mistakenly used the term "Hardware" when "Software" should have been used.

The sentence reads in part "the hardware encryption engines can't support them so they are done in hardware."

The second reference for hardware should be replaced with software.

Kelly McDowell  Jun 17, 2013 
Printed Page 652
1st paragraph

Book says that IP option screens block packets. This for the most part it is not true. There are only two IP option screens that block traffic
- ip bad-option
- ip source-route-option
the rest
- ip loose-source-route-option
- ip strict-source-route-option
- ip record-route-option
- ip security-option
- ip stream-option
- ip timestamp-option
are only counting them.
Please Juniper's KB16119 for detailed description of IP options screens behaviour.

Wojciech Dudys  Oct 27, 2016 
PDF Page 657
ICMP Flood Screen

Used the word "asic", should say "cpu".

Sentence reads: "Junos only needs to process IP packets addressed to the firewall itself in the ASIC (and only if the FW is listening for ICMP on that port and doesn't have and access list configured to block it)."

ICMP packets addressed to the firewall are processed on the CPU.

Kelly McDowell  Jun 17, 2013 
ePub Page 11138
location 11138 in Kindle Version -"Remote Access VPNs"

"IPsec VPN allows a remote user to connect to a true site"

Woodberg, Brad; Cameron, Rob (2013-06-07). Juniper SRX Series (Kindle Location 11141). O'Reilly Media. Kindle Edition.

Should "true site" be "trusted site"?

Mike Lane  Feb 05, 2014