Juniper Networks NetScreen Release Notes Product: Juniper NetScreen-5XT, Juniper NetScreen-204, Juniper NetScreen-208, Juniper NetScreen-500, Juniper NetScreen-5200, Juniper NetScreen-5400 Version: ScreenOS 5.0.0r9-FIPS Release Status: Private Part Number: 093-1638-000, Rev. A Date: 6-01-05 Contents 1. Version Summary on page 2 2. New Features and Enhancements on page 3 2.1 New Features and Enhancements in ScreenOS 5.0.0r9-FIPS on page 3 2.2 New Features and Enhancements from ScreenOS 5.0.0r8 on page 3 2.
Juniper Networks NetScreen Release Notes 5. Known Issues on page 29 5.1 Limitations of Features in ScreenOS 5.0.0 on page 29 5.2 Compatibility Issues in ScreenOS 5.0.0 on page 30 5.2.1 Upgrade Paths from Previous Releases on page 31 5.3 Known Issues in ScreenOS 5.0.0 on page 32 5.3.1 Known Issues in ScreenOS 5.0.0r9-FIPS on page 32 5.3.2 Known Issues from ScreenOS 5.0.0r8 on page 33 5.3.3 Known Issues from ScreenOS 5.0.0r7 on page 34 5.3.4 Known Issues from ScreenOS 5.0.0r6 on page 34 5.3.
Juniper Networks NetScreen Release Notes Refer to the following table to understand what ScreenOS versions map to which product. Product Firmware Juniper NetScreen-5XT ns5xt.5.0.0r9.0 Juniper NetScreen-200 Series ns200.5.0.0r9.0 Juniper NetScreen-500 ns500.5.0.0r9.0 Juniper NetScreen-5000 Series (with 5000-M) ns5000.5.0.0r9.0 2. New Features and Enhancements The following sections detail new features and enhancements in ScreenOS 5.0.0 releases.
Juniper Networks NetScreen Release Notes According to Trend Micro, the categories of viruses bypassed include HTML and Javascript. However, the subset of the bypassed viruses can be described as the following: Javascript/Jscript/HTML embedded in HTML code (having HTTP content type of text/HTML) AND is accessed through a script-enabled browser from a remote web server (via HTTP). For example, anti-virus scanning would NOT be bypassed for the following scenarios: 1.
Juniper Networks NetScreen Release Notes 3. Changes to Default Behavior There are numerous changes in default behavior. For detailed information on changes to default behavior in ScreenOS 5.0.0, refer to the Juniper Networks NetScreen ScreenOS Migration Guide. Specific changes in default behavior in ScreenOS 5.0.0r9-FIPS release: • The unset vendor-def CLI command removes all files stored in flash memory except the license file. • Security Manager does not work with this release. 4.
Juniper Networks NetScreen Release Notes • 03537 – The device failed when it incorrectly sent the DHCPDISCOVER packet out in the callback function. • 03528 – The subscription key retrieval operation worked only intermittently because the device did not close the SSL socket properly. • 03522 – When Security Manager imported a Juniper NetScreen-5200 with a configuration with large amounts of policies (5,000) and VPNs (2,000), the device failed.
Juniper Networks NetScreen Release Notes • 03358 – A very long URL entry when you attempt to perform URL filtering sometimes caused the device to fail. • 03356 – The Phase 2 rekey sometimes failed after the Phase 1 expired when you used Kbytes as the criteria to trigger a Phase 2 rekey operation. • 03355 – Track IP packets were sent out at the wrong interval, increasing failed counts (decreasing success rates) even though pings worked correctly.
Juniper Networks NetScreen Release Notes • 03269 – The Juniper NetScreen-5GT incorrectly autonegotiated to 10MBps half duplex after it had initially set itself to 10MBps full duplex. • 03267 – The anti-virus feature had a problem handling the HTTP packets because a web server inserted too many unnecessary white spaces in the HTTP header. • 03263 – When managing the device from the V1-untrust or V1-trust interface using Manage IP, multiple sessions were created for each packet.
Juniper Networks NetScreen Release Notes • 03132 – When using Juniper NetScreen-Remote to connect to a Juniper NetScreen-500 dial-up VPN using the WebUI, the IKE Gateway Configuration displays as user instead of user-group. • 03128 – Mistakes occurred with (MIP) Mapped IP translation when a remote shell used a secondary session initiated from the server for redirecting standard error output from the console.
Juniper Networks NetScreen Release Notes • 02986 – SSHv2 with RADIUS authentication failed to authenticate external users properly. • 02985/02996 – The Juniper NetScreen-5000 Series systems sometimes failed from memory corruption due to kernel locking. • 02975 – While performing a virus scan with the anti-virus engine, the antivirus update failed, and no traffic could pass through a Juniper Networks security appliance because the policies blocked it, and the device failed repeatedly.
Juniper Networks NetScreen Release Notes • 02867 – If the DHCP relay server is set with an IP address, the device incorrectly attempted to resolve the IP address with the host name even though there was no hostname. • 02861 – IP swapping issues occurred on the Juniper NetScreen-5000 Series systems sometimes because of invalid cache. • 02845 – In an NSRP active-passive configuration, improper MAC table entries prevented the backup device from being managed.
Juniper Networks NetScreen Release Notes • 02580 – When you created a new custom service, and then configured a VPN using IKE, the Proxy ID setting in the VPN Autokey IKE configuration incorrectly defaults to the new custom service, and not the ANY service. • 02555 – The system incorrectly created sessions for embedded ICMP packets. • 02530 – A TCP stack error caused the BGP neighbor state to change to the Idle state before the BGP holddown time value (default of 180 seconds) expired.
Juniper Networks NetScreen Release Notes • 01998 – You could not save the set console aux disable command into the device configuration. • 01739 – Ping operations would not work if fast aging out of MAC addresses did not occur when a PC migrated from one Juniper NetScreen-5GT port to another in the same zone. • 01635 – The system failed when an H323 recomputed a UDP checksum; the UDP packet lengths sometimes were too consistent with the IP lengths.
Juniper Networks NetScreen Release Notes whenever the device restarts and does not effect the normal operation of the device. • 36473 – Restarting a Juniper Networks security appliance while it was performing an operation in flash sometimes damaged the data on the device and caused the device not to restart or to lose the configuration. • 36235 – Adding the pre-defined service entry "ANY" in a multiple service policy sometimes resulted in a system fail.
Juniper Networks NetScreen Release Notes • 02926 – The number of syslog messages sent per second from the Juniper Networks security appliance were being limited by an internal process. • 02924 – SMTP (Simple Mail Transfer Protocol) queued emails on Microsoft Outlook 2003 clients timed out when a policy had the anti-virus option enabled because you could not perform more than one SMTP transaction within one session.
Juniper Networks NetScreen Release Notes • 02822 – The DHCP utility did not work on one of the redundant interfaces on a device. The interface did not appear in the DHCP environment in the WebUI. • 02814 – The SNMP interface index values were inconsistent through the SNMP tree. Interface index values uniquely identify each interface. • 02805 – Under certain traffic conditions, some DNS and HTTP session timers were set with higher values than the DNS and HTTP service timeouts.
Juniper Networks NetScreen Release Notes • 02709 – When you set a manual VPN authentication setting to NULL on a Juniper Networks security appliance, the device failed because a Null length is invalid. • 02707 – When performing an anti-virus scan on a Juniper NetScreen-5GT device, the device displayed an error-constraint-drop status. • 02699 – When multiple interfaces belonged to different Vsys had the same IP address and subnet mask, VPN traffic to these subnets could pass to the wrong Vsys.
Juniper Networks NetScreen Release Notes • 02655 – The event log timestamp changed to Daylight Savings Time (DST) even though DST was not enabled. • 02642 – After configuring SCREEN setting thresholds on a device using the WebUI or CLI, the get config | include command did not display the configured settings. • 02641 – The PKI IKE memory pool on a device had a memory leak caused by the Security Manager agent.
Juniper Networks NetScreen Release Notes • 02551 – An NSRP backup device indicated that a failover occurred continuously when no failure on the primary device occurred. • 02543 – A device rebooted because of an improperly processed checksum. • 02542 – When upgrading a Juniper NetScreen-5GT from ScreenOS 4.0.0r4 to ScreenOS 5.0.0r3, a PPP connection from a Windows XP client to a Windows 2000 server stopped working. • 02536 – The priority value on a WebTrends syslog message varied from device to device.
Juniper Networks NetScreen Release Notes • 02333 – When a device attempted to block files with a .exe extension, it incorrectly blocked files with .zip extensions. • 02326 – A device incorrectly created sessions if the IP address had a unicast destination while the destination MAC address had a multicast destination. • 02298 – Commands related to NHTB (Next Hop Tunnel Binding) did not run when you used a blank character when creating a tunnel name for NHTB.
Juniper Networks NetScreen Release Notes 4.3 Addressed Issues from ScreenOS 5.0.0r7 Manufacturing-only release. 4.4 Addressed Issues from ScreenOS 5.0.0r6 • 38268 – A Juniper Networks security appliance running a BGP peer virtual routing instance cannot use an MD5 type password when the device is connected to a Juniper Networks router. • 38200 – A non-specific error in H323 caused memory leaks in device sessions.
Juniper Networks NetScreen Release Notes • 02384 – The device failed if you connected an Ethernet cable to the untrust interface in the v1-untrust zone while the device was in transparent mode. • 02383 – Under some circumstances, the OSPF routing instance could not build an adjacency because its memory buffer was not large enough to handle large databases.
Juniper Networks NetScreen Release Notes • 02272 – HTTP and HTTPS packets passed through VPN tunnels more slowly than expected, sometimes to the point of timing out and causing the device to continually retransmit the packets. • 02250 – The device sometimes generated an error when you updated a device and issued the following command with the following arguments: set interface tunnel.2 nhtb 10.1.2.
Juniper Networks NetScreen Release Notes • 37069 – The configuration wizard option in the WebUI that enables you to skip the wizard screens was not present on the initial wizard screen. This option enables you to go directly to the WebUI login window to enter the device to manage it. • 36669 – When 20,000 or more policies were configured on a Juniper Networks security appliance, you experienced a two- to three-minute delay when scrolling through the Policy List page in the WebUI.
Juniper Networks NetScreen Release Notes • 02134 – When a policy specified a service that contained the same ranges for both the source port and destination port, traffic associated with other services with the same port ranges matched the conditions of the policy and the policy would respond with actions associated with a match occurring. • 01981 – You could not set the priority of the modem to any values. • 01957 – (NetScreen5XT and 5GT only) The modem TEST button was missing in the WebUI.
Juniper Networks NetScreen Release Notes discrepancy, you had to read the text description of the trap type to identify it. Now you can refer to the trap type value to identify it. For example, the traditional SNMP trap type value for a Cold Start event is 0. Please check the ScreenOS Messages Guide for the correct values in ScreenOS 5.0.0. • 02062 – Under certain circumstances, Track-IP was not sent out and caused the NSRP failover operation to fail.
Juniper Networks NetScreen Release Notes • 01985 – You could not schedule a policy using the WebUI. • 01970 – Under certain circumstances, the Juniper Networks security appliance did not send email alerts. • 01943 – When the DHCP payload (information included with the issuance of an IP address from a DHCP server) exceeded 550 bytes in length, the Juniper Networks security appliance was unavailable to send packets associated with the payload because the DHCP relay mechanism did not accept the packets. 4.
Juniper Networks NetScreen Release Notes • 36717 – When upgrading to ScreenOS 5.0.0, the maximum number of address groups allowed for Layer2 predefined zones incorrectly got set to the same number as for custom zones. As a result, if the number of address groups in Layer2 predefined zones surpasses the maximum number allowed, some address groups got removed during the upgrade.
Juniper Networks NetScreen Release Notes • 01958 – An internal mishandling of the MAC cache could cause a security appliance to crash. • 01944 – The group addresses for V1-untrust zone were getting lost after upgrading a device from a previous release. The group address for v1-untrust was incorrectly set to a maximum of 8 groups while it should have been 32. • 01812 – Using un-initialized memory space when creating an outgoing packet caused the device to fail. 5.
Juniper Networks NetScreen Release Notes • SSH Version 1 Interoperability – The embedded SSH server in ScreenOS 5.0.0 has issues with the client from SSH Communications Security when operating in SSH version 1 mode. W/A: Use SSH version 2 or a different SSH version 1 client, such as OpenSSH. • Primary & Backup Interfaces – (Juniper NetScreen-5XT) The primary and backup interfaces bound to the Untrust security zone cannot both use DHCP for address assignment at the same time.
Juniper Networks NetScreen Release Notes – Freeswan - The Freeswan 1.3 VPN client is incompatible with ScreenOS 5.0.0 in certain configurations due to IKE features that Freeswan does not fully support. The result is that Phase 2 negotiations and Phase 2 SA will not complete if the following commands are enabled in 5.0.0: set ike initiator-set-commit set ike responder-set-commit set ike initial-contact W/A: Unset these commands to ensure compatible configuration on the Juniper Networks security appliance.
Juniper Networks NetScreen Release Notes Juniper NetScreen-5000 series only: Before you upgrade a Juniper Networks security appliance to ScreenOS 5.0.0, we recommend that you verify the amount of memory on the device using the get system CLI command. You need 1 gigabyte of memory for Juniper NetScreen-5000. If you start upgrading the device and run into memory problems, you might see the following messages: “insufficient memory, call TAC” or “see release notes for upgrade instructions”.
Juniper Networks NetScreen Release Notes • 03504 – The value of the sysUpTime variable from an SNMP query incorrectly displays as more than 497 days. • 03495 – When the device drops packets after you issued the set flow tcpsyn-check command, ScreenOS does not log the drop instances. • 03492 – When you enable the URL filtering service, the device drops HTTP Move packets.
Juniper Networks NetScreen Release Notes W/A: Execute the save command first, before executing the save config from flash to slot1 command. 5.3.3 Known Issues from ScreenOS 5.0.0r7 None. 5.3.4 Known Issues from ScreenOS 5.0.0r6 None. 5.3.5 Known Issues from ScreenOS 5.0.0r5 None. 5.3.6 Known Issues from ScreenOS 5.0.0r4 • 38109 – When running 5,000 UDP sessions between two non-ScreenOS 5.0.0 devices and you upgrade one device to ScreenOS 5.0.0UPGR and the other to ScreenOS 5.0.0r4 via ScreenOS 5.0.
Juniper Networks NetScreen Release Notes 5.3.7 Known Issues from ScreenOS 5.0.0r3 for the 5000-M2 • 38001 – When you run the get session command, ScreenOS sometimes displays the policy ID number incorrectly as a negative number. • 37993 – When enabled on a Juniper NetScreen-5000 Series system, the inter-zone IP record route option does not update the counter associated with this option. The record route option records the IP addresses of the network devices along the path that an IP packet travels.
Juniper Networks NetScreen Release Notes • 36807, 36876 – When a 100Mbps link between a Juniper NetScreen-5000 Series system and another device reverts to a 10Mbps throughput level on the other device, the Juniper NetScreen-5000 Series system remains at the 100Mbps throughput level when it should synchronize with the speed of the connected device and revert to the lesser speed. 5.3.8 Known Issues from ScreenOS 5.0.0r3 None. 5.3.9 Known Issues from ScreenOS 5.0.
Juniper Networks NetScreen Release Notes exceeds the maximum number of routes permitted on a single page, all subsequent pages display the routes from the first page. • 35417 - If you set the guaranteed or maximum bandwidth (GBW or MBW) higher than the interface bandwidth, traffic does not pass through if there is a policy configured that specifies traffic shaping. W/A: Adjust the GBW or MBW to be equal or less than the interface bandwidth.
Juniper Networks NetScreen Release Notes displays only when you issue a ‘get event' CLI command, and not when you issue a 'get log event' CLI command. • 33916 - A Juniper Networks security appliance supports a maximum of 256 OSPF interfaces. • 33598 - For inter-vsys traffic, if both vsys define a policy with user authentication, the Juniper Networks security appliance does not prompt the user for authentication for each policy, but only once when it matches the first policy.
Juniper Networks NetScreen Release Notes number to the same port number as the original destination port. This does not affect traffic. • 30844 - When AV is enabled, you cannot download files to the Juniper Networks security appliance through a VPN using the WebUI. W/A: Specify a permit policy and place it above the policy with AV in the policy list. • 30842 - Source and destination NAT are not supported for RTP and RTCP traffic for H.323.
Juniper Networks NetScreen Release Notes • 28138 - The Websense server provides erroneous protocol version information, which the Juniper Networks security appliance displays. • 28016 - Juniper Networks security appliances do not support a MIP in the same zone as the destination host. W/A: Use policy-based destination NAT. 5.3.
Juniper Networks NetScreen Release Notes 6. Getting Help For further assistance with Juniper Networks products, visit www.juniper.net/support Juniper Networks occasionally provides maintenance releases (updates and upgrades) for ScreenOS firmware. To have access to these releases, you must register your NetScreen device with Juniper Networks at the above address. Copyright © 2005 Juniper Networks, Inc. All rights reserved.
Juniper Networks ScreenOS 5.0.0r9-FIPS NetScreen Release Notes P/N 093-1638-000, Rev.