SRX3400 Overview:
The SRX3400 Services Gateway supports up to 20 Gbps firewall, 6 Gbps firewall and IPS, or 6 Gbps of IPsec VPN, and up to 175,000 new connections per second. This SRX Services Gateway is ideal for securing and segmenting data center network infrastructures, aggregating a variety of different security solutions, and enforcing unique per-zone security policies in small to midsize server farms and hosting sites.
The SRX3400 Services Gateway uses the same SPCs, IOCs and NPCs as the SRX3600 and can support up to 20 Gbps firewall, 6 Gbps firewall and IPS, or 6 Gbps of IPsec VPN, along with up to 175,000 new connections per second. The SRX3400 is ideally suited for securing and segmenting enterprise data centers/network infrastructure as well as aggregation of various security solutions. The capability to support unique security policies per zones and its ability to scale with the growth of the network makes the SRX3400 an ideal deployment for small to midsized server farms , hosting sites, or mobile operators. The SRX3400 Services Gateway is also managed by Juniper Networks Network and Security Manager.
Juniper Networks SRX3000 line of services gateways is the next-generation solution for securing the ever-increasing network infrastructure and applications requirements for both enterprise and service provider environments. Designed from the ground up to provide flexible processing scalability, I/O scalability, and high integration, the SRX3000 line can meet the network and security requirements of data center hyperconsolidation, rapid managed services deployments, and aggregation of security solutions. Incorporating the routing heritage and service provider reliability of Junos OS with the rich security heritage of ScreenOS, the SRX3000 line offers the high-feature/ service integration necessary to secure modern network infrastructure and applications.
Juniper Networks® SRX3400 Services Gateway and SRX3600 Services Gateway are next-generation security platforms that deliver market-leading performance, scalability and service integration in a mid-sized form factor. These devices are ideally suited for medium to large enterprise, public sector and service provider networks, including:
- Enterprise server farms/data centers
- Securing mobile operator environments
- Aggregation of departmental or segmented security solutions
- Cloud and hosting provider data centers
- Managed services deployments
Based on an innovative mid-plane design and Juniper’s dynamic services architecture, the SRX3000 line resets the bar in price/performance for enterprise and service provider environments. Each services gateway can support near linear scalability with each additional Services Processing Card (SPC), enabling the SRX3600 to support up to 30 Gbps of firewall throughput. The SPCs are designed to support a wide range of services enabling future support of new capabilities without the need for service-specific hardware. Using SPCs on all services ensures that there are no idle resources based on specific services in operation—maximizing hardware utilization.
Market leading flexibility and price/performance of the SRX3000 line comes from the modular architecture. Based on Juniper’s dynamic services architecture, the gateway can be equipped with a flexible number of I/O cards (IOCs), network processing cards (NPCs) and service processing cards (SPCs)—allowing the system to be configured to support the ideal balance of performance and port density enabling each deployment of the Juniper Networks SRX Series Services Gateways to be tailored to specific network requirements. With this flexibility, the SRX3600 can be configured to support more than 100 Gbps interfaces with choices of Gigabit Ethernet or 10-Gigabit Ethernet ports; firewall performance from 10 to 30 Gbps; and services processing to match specific business needs.
The switch fabric employed in the SRX3000 line enables the scalability of SPCs, NPCs and IOCs. Supporting up to 320 Gbps of data transfer, the fabric enables the realization of maximum processing and I/O capability available in any particular configuration. This level of scalability and flexibility facilitates future expansion and growth of the network infrastructure, providing unrivaled investment protection.
The flexibility of the SRX3000 line extends beyond the innovation and proven benefit of the dynamic services architecture. Enabling the installation of SPCs on both the front and the back of the SRX3000 line, the mid-plane design delivers market-leading flexibility and scalability. By doubling the number of SPCs supported in half the rack space needed, the SRX3000 line offers not only underlying architectural innovation but also an innovative physical design.
The tight service integration on SRX Series Services Gateways is enabled by Juniper Networks Junos® operating system. By combining the routing heritage of Junos OS and the security heritage of ScreenOS®, the SRX Series Services Gateways are equipped with a robust list of features that include firewall, intrusion prevention system (IPS), denial of service (DoS), application security, Network Address Translation (NAT), and quality of service (QoS). In addition, incorporating multiple networking and security services under a single OS greatly optimizes the flow of traffic through the platform. With Junos OS, the SRX Series enjoys the benefit of a single source OS, single release train, and one architecture that is also available across Juniper’s carrier-class routers and switches.
Architecture and Key Components:
The SRX3400 Services Gateway uses the same SPCs, IOCs and NPCs as the SRX3600 and can support up to 20 Gbps firewall, 6 Gbps firewall and IPS, or 6 Gbps of IPsec VPN, along with up to 175,000 new connections per second. The SRX3400 is ideally suited for securing and segmenting enterprise data centers/network infrastructure as well as aggregation of various security solutions. The capability to support unique security policies per zones and its ability to scale with the growth of the network makes the SRX3400 an ideal deployment for small to midsized server farms , hosting sites, or mobile operators. The SRX3400 Services Gateway is also managed by Juniper Networks Network and Security Manager.
SRX3000 Line Service Processing Cards*
As the “brains” behind the SRX3000 line, SPCs are designed to process all available services on the platform. By eliminating the need for dedicated hardware for specific services or capabilities, there are no instances in which any piece of hardware is taxed to the limit while other hardware sits idle. SPCs are designed to be pooled together, allowing the SRX3000 line to expand performance and capacities with the introduction of additional SPCs, drastically reducing management overhead and complexity. The same SPCs are supported on both the SRX3600 and SRX3400. (Note: A minimum of one NPC and one SPC is required for proper system functionality.)
SRX3000 Line I/O Cards*
In addition to supporting an ideal mix of built-in copper, small form-factor pluggable transceiver (SFP) and high availability (HA) ports, the SRX3000 line allows the greatest I/O port density of any comparable offering in the same class. Each services gateway in the SRX3000 line can be equipped with one or several IOCs, each supporting either 16-gigabit interfaces (16 x 1 copper or fiber Gigabit Ethernet), or 20-gigabit interfaces (2 x 10 Gigabit XFP Ethernet). With the flexibility to provide multiple IOCs, the SRX3000 line can be equipped to support an ideal balance between interfaces and processing capabilities. (Note: A minimum of one NPC and one SPC is required for proper system functionality.)
SRX3000 Line Network Processing Cards*
To ensure maximum processing performance and flexibility, the SRX3000 line utilizes NPCs to distribute inbound and outbound traffic to the appropriate SPCs and IOCs, apply QoS, and enforce DoS/distributed denial of service (DDoS) protections. The SRX3600 can be configured to support one to three NPCs, while the SRX3400 can be configured to support one or two NPCs. Providing additional NPCs to the SRX3000 line allows organizations to tailor the solution to fit their specific performance requirements. (Note: A minimum of one NPC and one SPC is required for proper system functionality.)
*The Juniper Networks SRX3000 line utilizes the same market leading, high-performance dynamic architecture as the SRX5000 line, but in a mid-plane form factor. The SRX3000 line SPCs, IOCs, and NPCs are based on a common form-factor module (CFM) design and are not compatible with the SRX5000 line. Likewise, all SRX5000 line modules are not compatible with the SRX3000 line.
Features & Benefits:
Networking and Security
The SRX3000 line has been designed from the ground up to offer robust networking and security services.
Features |
Features Description |
Benefits |
Purpose-built platform |
Built from the ground up on dedicated hardware— designed for networking and security services. |
Delivers unrivaled performance and flexibility to protect high-speed network environments. |
Scalable performance |
Offers scalable processing based on the Dynamic Services Architecture. |
Provides a simple and cost-effective solution to leverage new services with appropriate processing. |
System and network resiliency |
Provides carrier-class hardware design and proven OS. |
Offers reliability needed for any critical high-speed network deployments. |
High availability (HA) |
Active/passive and active/active HA configurations using dedicated HA-control interfaces. |
Achieve availability and resiliency necessary for critical networks. |
Interface flexibility |
Offers flexible I/O options including on-board ports and modular CFM I/O cards. |
Offers flexible I/O configuration and independent I/O scalability to meet the port density requirements of multiple network environments. |
Network segmentation |
Provides security zones, VLANs, and virtual routers that allow administrators to deploy security policies to isolate guests and regional servers or databases. |
Features the capability to tailor unique security and networking policies for various internal, external, and DMZ subgroups. |
Robust routing engine |
Dedicated routing engine that provides physical and logical separation to data and control planes. |
Enables deployment of consolidated routing and security devices, as well as ensuring the security of routing infrastructure—all via a dedicated management environment. |
Comprehensive threat protection |
Tightly integrated services on Junos OS including multi-gigabit firewall, IPsec VPN, IPS, DoS, application security, and other networking and security services. |
Offers unmatched integration, ensuring network security against all level of attacks. |
Stateful GPRS inspection |
Support for GPRS firewall in mobile operator networks. |
Enables the SRX3000 line to provide stateful firewall capabilities for protecting key GPRS nodes within mobile operator networks. |
Role-based/identity-based access control enforcement |
Secure access to data center resources via tight integration of Juniper Networks Unified Access Control and SRX3000 line. |
Enables user- and identity-based security services for enterprise data centers by integrating the SRX3000 line with the standards-based access control capabilities of Juniper Networks Unified Access Control. |
Traffic Inspection Methods
The SRX Series supports various detection methods to accurately identify the application and traffic flow through the network.
Features |
Features Description |
Benefits |
Protocol anomaly detection |
Protocol usage against published RFCs is verified to detect any violations or abuse. |
Proactively protect network from undiscovered vulnerabilities. |
Traffic anomaly detection |
Heuristic rules detect unexpected traffic patterns that may suggest reconnaissance or attacks. |
Proactively prevent reconnaissance activities or block DDoS attacks. |
IP spoofing detection |
Validate IP addresses by checking allowed addresses inside and outside the network. |
Permit only authentic traffic while blocking disguised sources. |
DoS detection |
Protection against SYN flood, IP, ICMP, and application attacks. |
Protect your key network assets from being overwhelmed by denial of service attacks. |
AppSecure
Juniper Networks AppSecure is a suite of next-generation security capabilities that utilize advanced application identification and classification to deliver greater visibility, enforcement, control and protection over the network.
Features |
Features Description |
Benefits |
AppTrack |
Detailed analysis on application volume/usage throughout the network based on bytes, packets and sessions. |
Provides the ability to track application usage to help identify high-risk applications and analyze traffic patterns for improved network management and control. |
AppFW* |
Fine grained application control policies to allow or deny traffic based on dynamic application name or group names. |
Enhances security policy creation and enforcement based on applications and user roles rather than traditional port and protocol analysis. |
AppQoS** |
Set prioritization of traffic based on application information and contexts. |
Provides the ability to prioritize traffic as well as limit and shape bandwidth based on application information and contexts for improved application and overall network performance. |
AppDoS |
Multi-stage detection methods used to identify and mitigate distributed denial of service attacks targeting applications. |
Prevent service disruptions due to targeted attacks at applications by filtering and blocking malicious traffic while allowing legitimate traffic. |
Application signatures |
More than 700 signatures for identifying applications and nested applications. |
Applications are accurately identified and the resulting information can be used for visibility, enforcement, control and protection. |
SSL inspection |
Inspection of HTTP traffic encrypted in SSL on any TCP/UDP port. |
Combined with application identification, provides visibility and protection against threats embedded in SSL encrypted traffic. |
IPS Capabilities
Juniper Networks IPS capabilities offer several unique features that assure the highest level of network security.
Features |
Features Description |
Benefits |
Stateful signature inspection |
Signatures are applied only to relevant portions of the network traffic determined by the appropriate protocol context. |
Minimize false positives and offer flexible signature development. |
Protocol decodes |
More than 65 protocol decodes are supported along with more than 500 contexts to enforce proper usage of protocols. |
Accuracy of signatures is improved through precise contexts of protocols. |
Signatures1 |
There are more than 6,000 signatures for identifying anomalies, attacks, spyware, and applications. |
Attacks are accurately identified and attempts at exploiting a known vulnerability are detected. |
Traffic normalization |
Reassembly, normalization, and protocol decoding are provided. |
Overcome attempts to bypass other IPS detections by using obfuscation methods. |
Zero-day protection |
Protocol anomaly detection and same-day coverage for newly found vulnerabilities are provided. |
Your network is already protected against any new exploits. |
Recommended policy |
Group of attack signatures are identified by Juniper Networks Security Team as critical for the typical enterprise to protect against. |
Installation and maintenance are simplified while ensuring the highest network security. |
Active/active traffic monitoring |
IPS monitoring on active/active SRX3000 line chassis clusters. |
Support for active/active IPS monitoring including advanced features such as low impact chassis cluster upgrades. |
Centralized Management
Network and Security Manager—the common management solution for all Juniper Networks firewall, IDP Series, SA Series SSL VPN Appliances, UAC, and EX Series—manages the SRX Series Services Gateways.
Features |
Features Description |
Benefits |
Role-based administration |
More than 100 different activities can be assigned as unique permissions for different administrators. |
Streamline business operations by logically separating and enforcing roles of various administrators. |
Scheduled security update |
SRX Series Services Gateways can be automatically updated with new attack objects/signatures. |
Get up-to-the-minute security coverage without manual intervention. |
Domains |
Logical separation of devices, policies, reports, and other management activities are permitted. |
Conform to business operations by grouping devices based on business practices. |
Object locking |
Safe concurrent modification to the management settings is allowed. |
Avoid incorrect configuration due to overwritten management settings. |
Scheduled database backup |
Automatic backup of NSM database is provided. |
Provide configuration redundancy |
Job manager |
View pending and completed jobs. |
Simplify update of multiple devices. |
1 As of May 2010, there are 6,200 signatures with approximately 10 new signatures added every week. Subscription to signature update service is required to receive new signatures.
* AppFW is targeted for 1H2011
** AppQoS is targeted for 2H2011
Modules:
Switch Fabric and Control Board (SCB)
At the heart of the Dynamic Services Architecture is the switch fabric and control board (SCB). The SCB transforms the chassis from a simple module enclosure into a highly effective mesh network. The purpose of the SCB is to allow all modules in the chassis to send traffic at extremely high bandwidth.
The Route Engine (RE)
The routing engine (RE) is tightly coupled with the functionality of the SCB and can be considered the central nervous system of the architecture. The RE is the control plane of the chassis, and provides overall management and communications to and from system administrators, as well as calculating route tables for routing network traffic.
Services Processing Card (SPC)
As the "brains" behind the SRX3000 services gateways, services processing cards (SPCs) are designed to process all available services on the gateway. By eliminating the need for dedicated hardware for specific services or capabilities, no piece of hardware is ever taxed to the limit while other hardware sits idle. All of the processing capabilities of the SPCs are used to support any and all services and capabilities of the gateway. The same SPCs are supported on both the SRX3600 and the SRX3400 services gateways.(Note: A minimum of one NPC and one SPC is required for proper system functionality.)
Network Processing Cards (NPC)
To ensure maximum processing performance and flexibility, the SRX3000 line of services gateways utilize network processing cards (NPCs) to distribute inbound and outbound traffic to the appropriate SPCs and IOCs, apply QoS, and enforce DoS/DDoS protections. The SRX3600 can be configured to support one to three NPCs, while the SRX3400 can be configured to support one or two NPCs. Adding additional NPCs to these gateways allows organizations to tailor the solution to fit their specific performance requirements.(Note: A minimum of one NPC and one SPC is required for proper system functionality.)
Input/Output Cards (IOC)
In addition to supporting an ideal mix of built-in copper, small form-factor pluggable (SFP), and high-availability (HA) ports, the SRX3000 line allows the greatest I/O port density of any comparable offering. Each SRX3000 services gateway can be equipped with one or several input/output cards (IOCs), each supporting either 16 gigabit interfaces (16 x 1 copper or fiber Gigabit Ethernet), or 20 gigabit interfaces (2 x 10 Gigabit XFP Ethernet). With the flexibility to add additional IOCs, the SRX3000 line of services gateways can be equipped to support an ideal balance between interfaces and processing capabilities. (Note: A minimum of one NPC and one SPC is required for proper system functionality.)
SRX Cluster Module
The SRX Cluster Module is a hardware module that can be installed in the SRX3400 gateway to enable dual, or redundant, H/A control links for chassis clustering. When deploying SRX3400's in H/A clusters, the SRX Cluster Module utilizes the redundant architecture design of the SRX3000 line to provide full control link resiliency for mission critical environments.
SRX3K-SPC-1-10-40 |
SRX 3000 services processing card with 1Ghz processor and 4GB memory |
SRX3K-NPC |
SRX 3000 network processing card |
SRX3K-16GE-TX |
16x1 10/100/1000 copper CFM I/O card for SRX3000 |
SRX3K-16GE-SFP |
16x1 Gigabit SFP Ethernet I/O card for SRX3000, no transceivers |
SRX3K-2XGE-XFP |
2x10 Gigabit XFP Ethernet I/O card for SRX3000, no transceivers |
Technical Specifications:
Model: |
SRX3400 |
SRX3600 |
|
|
|
Junos OS version tested |
Junos OS 10.2 |
Junos OS 10.2 |
Firewall performance (large packets) |
20 Gbps |
30 Gbps |
Firewall performance (IMIX) |
8 Gbps |
18 Gbps |
Firewall packets per second (64 bytes) |
3 Mpps |
6 Mpps |
Maximum AES256+SHA-1 VPN performance |
6 Gbps |
10 Gbps |
Maximum 3DES+SHA-1 VPN performance |
6 Gbps |
10 Gbps |
Maximum IPS performance (NSS 4.2.1) |
6 Gbps |
10 Gbps |
Maximum AppTrack performance |
16 Gbps |
25 Gbps |
Maximum concurrent sessions |
2.25 million |
2.25 million |
New sessions/second, (sustained, TCP, three-way) |
175,000 |
175,000 |
Maximum security policies |
40,000 |
40,000 |
Maximum users supported |
Unrestricted |
Unrestricted |
Fixed I/O |
8 10/100/1000 + 4 SFP |
8 10/100/1000 + 4 SFP |
LAN interface options |
16 x 1 10/100/1000 copper
16 x 1-Gigabit Ethernet SFP
2 x 10-Gigabit Ethernet XFP |
16 x 1 10/100/1000 copper
16 x 1-Gigabit Ethernet SFP
2 x 10-Gigabit Ethernet XFP |
Maximum available slots for IOCs |
Four (front slots) |
Six (front slots) |
Maximum available slots for SPCs2 |
Up to four SPCs supported per chassis3
(any slot) |
Up to seven SPCs supported per chassis
(any slot) |
Maximum available slots for NPCs2 |
Up to two NPCs supported per chassis3
(three rear slots) |
Up to three NPCs supported per chassis
(three rear-right slots) |
Dimensions (W x H x D) |
17.5 x 5.25 x 25.5 in
(44.5 x 13.3 x 64.8 cm) |
17.5 x 8.75 x 25.5 in
(44.5 x 22.2 x 64.8 cm) |
Weight (device and power supply) |
Chassis: 32.3 lb (14.7 kg)
Fully configured: 75 lb (34.1 kg) |
Chassis: 43.6 lb (19.8 kg)
Fully configured: 115.7 lb (52.6 Kg) |
Power supply (AC) |
100 to 240 VAC |
100 to 240 VAC |
Power supply (DC) |
-40 to -72 VDC |
-40 to -72 VDC |
Maximum power draw |
1,100 W (AC power)
1,050 W (DC power) |
1,750 W (AC power)
1,850 W (DC power) |
Power supply redundancy |
1 + 1 |
2 + 1 / 2 + 2 |
Operational temperature |
32° to 104° F (0° to 40° C) |
32° to 104° F (0° to 40° C) |
Humidity |
5% to 90% noncondensing humidity |
5% to 90% noncondensing humidity |
Safety certifications |
Yes |
Yes |
Electromagnetic compatibility (EMC) certifications |
Yes |
Yes |
R6: 3GPP TS 29.060 version 6.21.0 |
Yes |
Yes |
R7: 3GPP TS 29.060 version 7.3.0 |
Yes |
Yes |
R8: 3GPP TS 29.060 version 8.3.0 |
Yes |
Yes |
1. Performance, capacity, and features listed are based upon systems running Junos OS 10.2 and are measured under ideal testing conditions. SRX3400 DC-powered systems achieve lower performance levels as fewer cards can be supported. Actual results may vary based on Junos OS releases and by deployment. For a complete list of supported Junos OS versions for the SRX Series Services Gateways, please visit the Juniper Customer Support Center (www.juniper.net/customers/support/).
2. Each SRX3000 line of Services Gateways employ multiple common form-factor module (CFM) expansion slots on the front and rear of the chassis to allow custom configurations of I/O and processing capacities based on customer requirements. SPCs and NPCs are supported on all available CFM slots. However, for proper system functionality and allowing for I/O expansion, the SRX3400 supports a maximum of up to four SPCs and two NPCs per chassis, and the SRX3600 supports a maximum of up to seven SPCs and three NPCs per chassis. Please refer to the respective hardware guides for more information on SPCs and NPCs as well as for guidelines on placements.
3. Refer to user guide for guidelines when using DC power supplies.
* SRX3000 line gateways operating with Junos software release 10.0 and later are compliant with the R6, R7, and R8 releases of 3GPP TS 20.060 with the following exceptions (not supported on the SRX3000 line):
- Section 7.5A Multimedia Broadcast and Multicast Services (MBMS) messages
- Section 7,5B Mobile Station (MS) info change messages
- Section 7.3.12 Initiate secondary PDP context from GGSN
Additional Features and Comparison:
Model: |
SRX3400 |
SRX3600 |
|
|
|
Network attack detection |
Yes |
Yes |
DoS and DDoS protection |
Yes |
Yes |
TCP reassembly for fragmented packet protection |
Yes |
Yes |
Brute-force attack mitigation |
Yes |
Yes |
SYN cookie protection |
Yes |
Yes |
Zone-based IP spoofing |
Yes |
Yes |
Malformed packet protection |
Yes |
Yes |
Site-to-site tunnels |
10,000 |
10,000 |
Tunnel interfaces |
10,000 |
10,000 |
DES (56-bit), 3DES (168-bit), and AES encryption |
Yes |
Yes |
MD5 and SHA-1 authentication |
Yes |
Yes |
Manual key, IKE, PKI (X.509) |
Yes |
Yes |
Perfect forward secrecy (DH groups) |
1,2,5 |
1,2,5 |
Prevent replay attack |
Yes |
Yes |
Remote access VPN |
Yes |
Yes |
Redundant VPN gateways |
Yes |
Yes |
Modes of operation: In-line and in-line tap |
Yes |
Yes |
Active/active traffic monitoring |
Yes |
Yes |
Stateful protocol signatures |
Yes |
Yes |
Attack detection mechanisms |
Stateful signatures, protocol anomaly detection (zero-day coverage), application identification |
Stateful signatures, protocol anomaly detection (zero-day coverage), application identification |
Attack response mechanisms |
Drop connection, close connection, session packet log, session summary, email, custom session |
Drop connection, close connection, session packet log, session summary, email, custom session |
Attack notification mechanisms |
Structured Syslog |
Structured Syslog |
Worm protection |
Yes |
Yes |
Simplified installation through recommended policies |
Yes |
Yes |
Trojan protection |
Yes |
Yes |
Spyware/adware/keylogger protection |
Yes |
Yes |
Other malware protection |
Yes |
Yes |
Application denial of service protection |
Yes |
Yes |
Protection against attack proliferation from infected systems |
Yes |
Yes |
Reconnaissance protection |
Yes |
Yes |
Request and response-side attack protection |
Yes |
Yes |
Compound attacks—combines stateful signatures and protocol anomalies |
Yes |
Yes |
Create custom attack signatures |
Yes |
Yes |
Access contexts for customization |
500+ |
500+ |
Attack editing (port range, other) |
Yes |
Yes |
Stream signatures |
Yes |
Yes |
Protocol thresholds |
Yes |
Yes |
Stateful protocol signatures |
Yes |
Yes |
Approximate number of attacks covered |
6,000+ |
6,000+ |
Detailed threat descriptions and remediation/patch info |
Yes |
Yes |
Create and enforce appropriate application-usage policies |
Yes |
Yes |
Attacker and target audit trail and reporting |
Yes |
Yes |
Frequency of updates |
Daily and emergency |
Daily and emergency |
GPRS stateful firewall |
Yes |
Yes |
GTP tunnels |
250,000 |
500,000 |
Destination NAT with PAT |
Yes |
Yes |
Destination NAT within same subnet as ingress interface IP |
Yes |
Yes |
Destination addresses and port numbers to one single address and a specific port number (M:1P) |
Yes |
Yes |
Destination addresses to one single address (M:1) |
Yes |
Yes |
Destination addresses to another range of addresses (M:M) |
Yes |
Yes |
Static Source NAT – IP-shifting DIP |
Yes |
Yes |
Source NAT with PAT – port-translated |
Yes |
Yes |
Source NAT without PAT – fix-port |
Yes |
Yes |
Source NAT – IP address persistency |
Yes |
Yes |
Source pool grouping |
Yes |
Yes |
Source pool utilization alarm |
Yes |
Yes |
Source IP outside of the interface subnet |
Yes |
Yes |
Interface source NAT – interface DIP |
Yes |
Yes |
Oversubscribed NAT pool with fallback to PAT when the address pool is exhausted |
Yes |
Yes |
Symmetric NAT |
Yes |
Yes |
Allocate multiple ranges in NAT pool |
Yes |
Yes |
Proxy ARP for physical port |
Yes |
Yes |
Source NAT with loopback grouping – DIP loopback grouping |
Yes |
Yes |
Built-in (internal) database |
Yes |
Yes |
RADIUS accounting |
Yes |
Yes |
Web-based authentication |
Yes |
Yes |
UAC enforcement point |
Yes |
Yes |
PKI certificate requests (PKCS 7 and PKCS 10) |
Yes |
Yes |
Automated certificate enrollment (SCEP) |
Yes |
Yes |
Certificate authorities supported |
Yes |
Yes |
Self-signed certificates |
Yes |
Yes |
Maximum number of security zones |
256 |
256 |
Maximum number of virtual routers |
256 |
256 |
Maximum number of VLANs per interface |
4,096 |
4,096 |
Maximum number of L3 subinterfaces |
16,3844 |
16,3844 |
BGP instances |
128 |
128 |
BGP peers |
2,000 |
2,000 |
BGP routes |
1,000,0005 |
1,000,0005 |
OSPF instances |
256 |
256 |
OSPF routes |
1,000,0005 |
1,000,0005 |
RIP v1/v2 instances |
50 |
50 |
RIP v2 table size |
30,000 |
30,000 |
Dynamic routing |
Yes |
Yes |
Static routes |
Yes |
Yes |
Filter-based forwarding (FBF) |
Yes |
Yes |
Equal-cost multipath (ECMP) |
Yes |
Yes |
Reverse path forwarding (RPF) |
Yes |
Yes |
Multicast |
Yes |
Yes |
Firewall/stateless filters |
Yes |
Yes |
Dual stack IPv4/IPv6 firewall |
Yes |
Yes |
RIPng |
Yes |
Yes |
BFD, BGP |
Yes |
Yes |
ICMPv6 |
Yes |
Yes |
OSPFv3 |
Yes |
Yes |
Class of service |
Yes |
Yes |
Layer 2 (transparent) mode |
Yes |
Yes |
Layer 3 (route and/or NAT) mode |
Yes |
Yes |
Static |
Yes |
Yes |
Dynamic Host Configuration Protocol (DHCP) |
Yes |
Yes |
Internal DHCP server |
Yes |
Yes |
DHCP relay |
Yes |
Yes |
Maximum bandwidth |
Yes |
Yes |
RFC2474 IP DiffServ in IPv4 |
Yes |
Yes |
Filters for CoS |
Yes |
Yes |
Classification |
Yes |
Yes |
Scheduling |
Yes |
Yes |
Shaping |
Yes |
Yes |
Intelligent Drop Mechanisms (WRED) |
Yes |
Yes |
Three-level scheduling |
Yes |
Yes |
Weighted round-robin for each level of scheduling |
Yes |
Yes |
Priority of routing protocols |
Yes |
Yes |
Active/passive, active/active |
Yes |
Yes |
Low impact chassis cluster upgrades |
Yes |
Yes |
Configuration synchronization |
Yes |
Yes |
Session synchronization for firewall and IPsec VPN |
Yes |
Yes |
Session failover for routing change |
Yes |
Yes |
Device failure detection |
Yes |
Yes |
Link and upstream failure detection |
Yes |
Yes |
Interface link aggregation/LACP |
Yes |
Yes |
Redundant data and control links* |
Yes |
Yes |
WebUI (HTTP and HTTPS) |
Yes |
Yes |
Command-line interface (console) |
Yes |
Yes |
Command-line interface (telnet) |
Yes |
Yes |
Command-line interface (SSH) |
Yes |
Yes |
Network and Security Manager version 2008.2 or later |
Yes |
Yes |
Local administrator database support |
Yes |
Yes |
External administrator database support |
Yes |
Yes |
Restricted administrative networks |
Yes |
Yes |
Root admin, admin, and read-only user levels |
Yes |
Yes |
Software upgrades |
Yes |
Yes |
Configuration rollback |
Yes |
Yes |
Structured System Log |
Yes |
Yes |
SNMP (v2/v3) |
Yes |
Yes |
Traceroute |
Yes |
Yes |
1. Performance, capacity, and features listed are based upon systems running Junos OS 10.2 and are measured under ideal testing conditions. SRX3400 DC-powered systems achieve lower performance levels as fewer cards can be supported. Actual results may vary based on Junos OS releases and by deployment. For a complete list of supported Junos OS versions for the SRX Series Services Gateways, please visit the Juniper Customer Support Center (www.juniper.net/customers/support/).
2. Each SRX3000 line of Services Gateways employ multiple common form-factor module (CFM) expansion slots on the front and rear of the chassis to allow custom configurations of I/O and processing capacities based on customer requirements. SPCs and NPCs are supported on all available CFM slots. However, for proper system functionality and allowing for I/O expansion, the SRX3400 supports a maximum of up to four SPCs and two NPCs per chassis, and the SRX3600 supports a maximum of up to seven SPCs and three NPCs per chassis. Please refer to the respective hardware guides for more information on SPCs and NPCs as well as for guidelines on placements.
3. Refer to user guide for guidelines when using DC power supplies.
4. Maximum number of supported L3 subinterfaces in HA configuration is 1,000.
5. Maximum number of BGP and OSPF routes recommended is 100,000.
* To enable dual control links on the SRX3000 line, the SRX3K CRM module must be installed on each cluster member.