SRX4300 Overview:
The SRX4300 next-generation firewall (NGFW) protects small and midsized campus, data center, and regional headquarters networks. The 1 U, power-efficient device delivers up to 90 Gbps firewall throughput per rack unit and supports 100 Gbps interfaces with wire speed MACsec encryption to safeguard data in motion.
The SRX4300 integrates networking and security into a single platform. It features built-in zero-trust capabilities, EVPN-VXLAN fabric integration, and AI Predictive Threat Prevention for ultra-high security efficacy. Centrally managed by Juniper Security Director Cloud, the SRX4300 delivers high-performance IPsec VPN and unified policy management for securing your network reliably.
Product Description
Juniper Networks® SRX4300 Firewall is a high-performance, next-generation firewall (NGFW) designed to safeguard your enterprise campus, data center edge, and core. It also supports roaming and SD-WAN secure hub firewall use cases. Combining carrier-grade routing with state-of-the-art switching, this platform delivers robust security, effective threat detection, and comprehensive automation and mitigation capabilities.
SRX4300 delivers NGFW features that support the changing needs of cloud-enabled enterprise networks and data centers. Whether rolling out new services within an enterprise campus, connecting to the cloud seamlessly, complying with industry standards, or achieving operational efficiency, the SRX4300 empowers organizations to operationalize zero-trust principles at scale while realizing their business objectives. The SRX4300 protects critical corporate assets with features such as intrusion prevention system (IPS), follow-the-user and follow-the-application access policies, and Juniper’s AI-Predictive Threat Prevention. Furthermore, SRX4300 works with Juniper’s cloud security solutions to secure hybrid-cloud environments with networkwide visibility and control, providing consistently secure on-premises and cloud environments.
As network architectures become more distributed and decentralized, Juniper Networks SRX Series Firewalls ensure seamless integration with other Juniper and third-party networking platforms, and facilitate architectural transformation. At the same time, the NGFWs facilitate architectural transformation, taking organizations from on-premises to hybrid cloud environments seamlessly and cost effectively. SRX Series Firewalls are the first to implement industry-standard Ethernet VPN (EVPN) type 5 and Virtual Extensible LAN (VXLAN) protocols within data center environments, enabling the SRX4300 to act as a secure, fabric aware leaf in the data center spine-leaf architecture.
The SRX4300 participates in the industry-first Connected Security Distributed Services Architecture, enabling organizations to scale both horizontally and elastically, and it simplifies operational management of large-scale firewall networks. With this architecture, several SRX4300 platforms can work together as a single large logical firewall to provide security at higher performance and scale.
The SRX4300 is powered by Junos® operating system, the OS that underpins and helps secure the world’s largest mission-critical enterprise and service provider networks. It is managed by Juniper Security Director Cloud, Juniper’s unified management experience that connects the organization’s current deployments with future architectural rollouts. Security Director Cloud uses a single policy framework enabling consistent security policies across any environment and expanding zero trust to all parts of the network from the edge into the data center. This provides unbroken visibility, policy configuration, administration, and collective threat intelligence all in one place.
Highlights
The SRX4300 integrates networking and security into a single platform. It features built-in zero-trust capabilities, EVPN-VXLAN fabric integration, and AI Predictive Threat Prevention for ultra-high security efficacy. Centrally managed by Juniper Security Director Cloud, the SRX4300 delivers high-performance IPsec VPN and unified policy management for securing your network reliably.
The SRX4300 Firewall is integral to Juniper’s Connected Security Distributed Services Architecture and empowers organizations to operationalize zero trust across their networks.
To increase trust and streamline operations, the SRX4300 features several built-in zero trust device capabilities, including an embedded Trusted Platform Module (TMP) 2.0 and cryptographically signed device ID. The SRX4300 supports RFC compliant Secure Zero Touch Provisioning (sZTP) to deploy products in your network efficiently, expediently, and remotely. Additionally, the SRX4300 supports MACsec at wire speed, ensuring data integrity, and confidentiality.
Technical Specifications:
Specifications |
SRX4300 |
Onboard ports |
8 x 1 GbE/2.5 GbE/5 GbE/10 GbE BASE-T |
Onboard small form-factor pluggable plus (SFP+) transceiver ports |
8 x 1 GbE/10 GbE SFP+
4 x 1 GbE/10 GbE/25 GbE SFP28
6 x 40 GbE/100 GbE QSFP28 |
Out-of-Band (OOB) management ports |
1 x 1 GbE G (RJ-45) |
Dedicated high availability (HA) ports |
2 x 1 GbE SFP |
Console |
1 (RJ-45) |
USB 3.0 ports (Type A) |
1 |
Storage (SSD) |
1 x 120 GB (system disk), 1 x 960 GB (logging disk) |
Form factor |
1U |
Size (W x H x D) |
17.28 x 1.74 x 18.20 in
(43.89 x 4.42 x 46.23 cm) |
Weight (device and PSU) |
Chassis with two AC PSU: 20.2 lb (9.2 kg)
Chassis with two DC PSU: 20.5 lb (9.3 kg)
Chassis with package: 36.6 lb (16.6 kg) |
Redundant PSU |
1+1 |
Power supply |
2 x 850W AC PSU redundant
2 x 850 W DC PSU redundant |
Average heat dissipation |
1 x DC PSU (40V): 1221.5 BTU/h
2 x DC PSU (40V): 1224.9 BTU/h
1 x AC PSU (110V): 1206.2 BTU/h
1 x AC PSU (230V): 1175.5 BTU/h
2 x AC PSU (110V): 1228.4 BTU/h
2 x AC PSU (230V): 1206.2 BTU/h |
Maximum current consumption |
4.67 A (for 110 V AC PSM)
2.188 A (for 230 V AC PSM)
11.53 A (for -40 V DC Power) |
Maximum inrush current |
40 A for 1 cycle of AC (AC PSM)
40 A-pk (DC PSM) |
Airflow/cooling |
Front to back |
Operating temperature |
32° to 104° F (0° to 40° C at 6000 ft altitude) |
Operating humidity |
5% to 90% non-condensing |
Meantime between failures (MTBF) |
Over 100,000 hours (12 years) |
FCC classification |
Class A |
RoHS compliance |
RoHS 6 |
Firewall (IMIX packet size) throughput Gbps3 |
50 Gbps |
Firewall (1518B packet size) throughput Gbps3 |
90 Gbps |
IPsec VPN (IMIX packet size) throughput Gbps3 |
30 Gbps |
IPsec VPN (1400B packet size) throughput Gbps |
75 Gbps |
Application security performance in Gbps (TPS#) |
60 Gbps |
Recommended IPS in Gbps (TPS#) |
45 Gbps |
Next-generation firewall in Gbps (TPS#)4 |
45 Gbps |
Secure Web Access Firewall in Gbps (CPS**) |
45 Gbps |
Advanced Threat in Gbps (CPS**)6 |
15 Gbps |
Connections per second (64B) |
550,000 |
Maximum security policies |
60,000 |
Maximum concurrent sessions (IPv4 or IPv6) |
10 Million |
Route table size (RIB/FIB) (IPv4) |
2 Million/1 Million |
IPsec VPN tunnels |
8,000 |
Number of remote access/SSL VPN (concurrent) users |
8,000 |
Max VLANs |
4,096 |
GRE Tunnels |
8,000 |
Maximum Security Zones |
2,000 |
Maximum Virtual Routers |
2,000 |
NAT Rules |
20,000 |
Additional Specification Features:
Firewall Services
- Stateful firewall services
- Zone-based firewall
- Screens and distributed denial of service (DDoS) protection
- Protection from protocol and traffic anomalies
- Unified Access Control (UAC)
- User role-based firewall
- SSL inspection
- Integration with Juniper Mist™ Access Assurance
Carrier-Grade Network Address Translation (CGNAT)
- Carrier-grade Network Address Translation (Large-scale NAT)
- IPv4 and IPv6 address translation NAT44, NAPT44, NAT66, NAPT66, NAT64, NAT46
- Static and dynamic 1-1 translation
- Source NAT with Port Address Translation (PAT)
- Destination NAT with Port Address Translation (PAT)
- Persistent NAT (EIM/EIF)
- Port Block Allocation (PBA)
- Deterministic NAT (DetNAT)
- Port overload
- Twice-NAT44
- DS-lite and Port Control Protocol (PCP)
VPN Features
- Tunnels: Site-to-site, hub and spoke, dynamic endpoint, AutoVPN, ADVPN, Group VPN (IPv4/ IPv6/Dual Stack)
- Juniper Secure Connect: Remote access/SSL VPN
- Configuration payload: Yes
- IKE encryption algorithms: Prime, 3DES-CBC, AEC-CBC, AES-GCM, Suite B
- Authentication: Pre-shared key and public key infrastructure (PKI) (X.509)
- IPsec: Authentication Header (AH) / Encapsulating Security
- Payload (ESP) protocol
- IPsec authentication algorithms: hmac-md5, hmac-sha-196, hmac-sha-256
- IPsec encryption algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, Suite B
- Perfect forward secrecy, anti-reply
- Internet Key Exchange: IKEv1, IKEv2
- Monitoring: Standard-based dead peer detection (DPD) support, VPN monitoring
- VPNs GRE, IP-in-IP, and MPLS
High Availability Features
- Virtual Router Redundancy Protocol (VRRP): IPv4 and IPv6
- Stateful high availability: Dual box clustering
- Active/passive
- Active/active
- Configuration synchronization
- Firewall session synchronization
- Device/link detection
- In-Service Software Upgrade (ISSU)
- IP monitoring with route and interface failover
- Chassis cluster HA and Multimode HA (MNHA)
Application Security Services (offered as advanced security subscription license)
- Application visibility and control
- Application QoS
- Advanced/application policy-based routing (APBR)
- Application Quality of Experience (AppQoE)
- Application-based multipath routing
- User-based firewall
Threat Defense and Intelligence Services (offered as advanced security subscription license)
- Intrusion prevention system
- AI-Predictive Threat Prevention
- Antivirus
- Antispam
- Category/reputation-based URL filtering
- SSL proxy/inspection
- Protection from botnets (command and control)
- Adaptive enforcement based on GeoIP
- Juniper Advanced Threat Prevention, a cloud-based SaaS offering, to detect and block zero-day attacks
- Adaptive Threat Profiling
- Encrypted Traffic Insights
- SecIntel threat intelligence
- Juniper ATP virtual appliance, a distributed, on-premises advanced threat prevention solution to detect and block zero-day attacks
Routing Protocols
- IPv4, IPv6, static routes, RIP v1/v2
- OSPF/OSPF v3
- BGP with route reflector
- IS-IS
- Multicast: Internet Group Management Protocol (IGMP) v1/v2; Protocol Independent Multicast (PIM) sparse mode (SM)/ source-specific multicast (SSM); Session Description Protocol (SDP); Distance Vector Multicast Routing Protocol (DVMRP); Multicast Source Discovery Protocol (MSDP); reverse path forwarding (RPF)
- Encapsulation: VLAN, Point-to-Point Protocol over Ethernet (PPPoE)
- Virtual routers
- Policy-based routing, source-based routing
- EVPN-VXLAN (EVPN Type 5 route)
- Equal-cost multipath (ECMP)
QoS Features
- Support for 802.1p, DiffServ code point (DSCP), EXP
- Classification based on VLAN, data-link connection identifier (DLCI), interface, bundles, or multifield filters
- Marking, policing, and shaping
- Classification and scheduling
- Weighted random early detection (WRED) Guaranteed and maximum bandwidth
- Ingress traffic policing
- Virtual channels
Network Services
- Dynamic Host Configuration Protocol (DHCP) client/server/ relay
- Domain Name System (DNS) proxy, dynamic DNS (DDNS)
- Juniper real-time performance monitoring (RPM) and IP monitoring
- Juniper flow monitoring (J-Flow)
Advanced Routing Services
- Packet Mode
- MPLS (RSVP, LDP)
- Circuit cross-connect (CCC), translational cross-connect (TCC)
- L2/L2 MPLS VPN, pseudo-wires
- Virtual private LAN service (VPLS), next-generation multicast VPN (NG-MVPN)
- MPLS traffic engineering and MPLS fast re-route
Management, Automation, Logging, and Reporting
- SSH, Telnet, SNMP-MIBS, Traps
- Smart image download
- Juniper CLI and Web UI, NetCONF, XML APIs, RMON
- Juniper Networks Security Director Cloud
- Python
- Junos events, commit and OP scripts
- Application and bandwidth usage reporting
- Debug and troubleshooting tools
3Throughput numbers based on UDP packets and RFC2544 test methodology
4Next-generation firewall performance is measured with firewall, application security, and IPS enabled
5Secure Web Access firewall performance is measured with firewall, application Security, IPS, SecIntel, and URL filtering
enabled 6Advanced Threat performance is measured with firewall, application security, IPS, SecIntel, URL filtering, and malware protection enabled
#TPS Method: Fixed, long-lived sessions with multiple transactions
**CPS Method: Short-lived sessions with single transaction