New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

Software Features

Application Layer Gateways (ALGs)

DNS ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Domain Name System (DNS) support. The DNS ALG monitors DNS query and reply packets and closes the session if the DNS flag indicates the packet is a reply message.
To configure the DNS ALG, use the edit security alg dns statement at the [edit security alg] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.
FTP ALG
Now supported on SRX 240 and SRX650 devices. Existing support on SRX 210, SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
For information on functionality, see the “JUNOS for SRX-Series Services Gateways Product Overview” section.
To configure these ALGs, use the edit security alg ftp and edit security alg ftp statements at the [edit security alg] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.
H.323 ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides H.323 standard and H.323 Avaya support. The H.323 standard is a legacy VoIP protocol defined by the International Telecommunication Union Telecommunication Standardization (ITU-T). H.323 consists of a suite of protocols (such as H.225.0 and H.245) that are used for call signaling and call control for VoIP.
To configure the H.323 ALG, use the edit security alg h323 statement at the [edit security alg] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide
MGCP ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Media Gateway Control Protocol (MGCP) support. MGCP is a text-based Application Layer protocol used for call setup and call control between the media gateway and the media gateway controller (MGC).
To configure the MGCP ALG, use the edit security alg mgcp statement at the [edit security alg] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide
PPTP ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Point-to-Point Tunneling Protocol (PPTP) support. PPTP is a Layer 2 protocol that tunnels PPP data across TCP/IP networks. The PPTP client is freely available on Windows systems and is widely deployed for building virtual private networks (VPNs).
To configure the PPTP ALG, use the edit security alg pptp statement at the [edit security alg] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide
RPC ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides basic Remote Procedure Call (RPC) support. RPC is a protocol that allows an application running in one address space to access the resources of applications running in another address space as if the resources were local to the first address space. The RPC ALG is responsible for RPC packet processing.
To configure the RPC ALG, use the edit security alg rpc statement at the [edit security alg] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide
RSH ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Remote Shell (RSH) support. The RSH ALG handles TCP packets destined for port 514 and processes the RSH port command. The RSH ALG performs NAT on the port in the port command and opens gates as necessary.
To configure the RSH ALG, use the edit security alg rsh statement at the [edit security alg] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide
RTSP ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Real-Time Streaming Protocol support.
To configure the RTSP ALG, use the edit security alg rtsp statement at the [edit security alg] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide
SCCP ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Skinny Client Control Protocol (SCCP) support. SCCP is a Cisco proprietary protocol for call signaling. Skinny is based on a call-agent-based call-control architecture. The control protocol uses binary-coded frames encoded on TCP frames sent to well-known TCP port number destinations to set up and tear down RTP media sessions. The SCCP protocol, just as other call control protocols, negotiates media endpoint parameters, specifically the RTP port number and the IP address of media termination by embedding information in the control packets. The SCCP ALG parses these control packets and facilitates media and control packets to flow through the SRX-series devices.
To configure the SCCP ALG, use the edit security alg sccp statement at the [edit security alg] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide
SIP ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Session Initiation Protocol (SIP) support. SIP is an Internet Engineering Task Force (IETF)-standard protocol for initiating, modifying, and terminating multimedia sessions over the Internet. Such sessions might include conferencing, telephony, or multimedia, with features such as instant messaging and application-level mobility in network environments.
To configure the SIP ALG, use the edit security alg sip statement at the [edit security alg] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide
SQLNET ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Structured Query Language (SQL) support. The SQLNET ALG processes SQL TNS response frames from the server side. It parses the packet and looks for (HOST = ipaddress) , (PORT = port) patterns and performs NAT and gate opening on the client side for the TCP data channel.
To configure the SQLNET ALG, use the edit security alg sqlnet statement at the [edit security alg] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide
TALK ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides TALK protocol support. The TALK protocol uses UDP port 517 and port 518 for control channel connections. The <ui>talk</ui> program consists of a server and a client. The server handles client notifications and helps to establish talk sessions. There are two types of talk servers: ntalk and talkd. The TALK ALG processes packets of both ntalk and talkd formats. It also performs NAT and gate opening as necessary.
To configure the TALK ALG, use the edit security alg talk statement at the [edit security alg] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide
TFTP ALG
Now supported on SRX 240 and SRX650 devices. Existing support on SRX 210, SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
For information on functionality, see the “JUNOS for SRX-Series Services Gateways Product Overview.”
To configure the TFTP ALG, use the edit security alg tftp statement at the [edit security alg] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide

Chassis Clustering

Active/active chassis clustering
This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
The data plane now supports active/active chassis clustering for these SRX-series devices. The chassis clustering on these SRX-series devices is no longer restricted to the creation of only one redundancy group beyond redundancy group 0. You can now configure one or more redundancy groups numbered 1 through 128. Multiple redundancy groups make it possible for traffic to arrive on an interface of one redundancy group and egress on an interface that belongs to another redundancy group. In this situation, the ingress and egress interfaces might not be active on the same node. When this happens, the traffic is forwarded over the fabric link to the appropriate node. SRX-series chassis clusters operate with an active/backup control plane.
Control link recovery
This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
Prior to this release, when a node was disabled due to control link failure, after fixing the issue, you had to manually reboot the disabled node to make the disabled node rejoin the cluster. With this release, you can specify that control link recovery be done automatically by the system by using the set chassis cluster control-link-recovery command (this feature is disabled by default). Once the system determines that the control link is healthy, it issues an automatic reboot on the disabled node. When the disabled node reboots, the node rejoins the cluster. There is no need for any manual intervention.
Cold synchronization monitoring
This feature is now supported on SRX 210, SRX 240, and SRX650 devices. Existing support on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
The process of synchronizing data plane RTOs (runtime objects) on the startup of the Services Processing Units (SPUs) or flowd is called cold sync. Chassis clustering supports the process of monitoring the cold-sync state of all SPUs or flowd on a node. Also, if you enable preempt, cold-sync monitoring prevents the node from taking over mastership until the cold-sync process is completed for all the SPUs or flowd on the node.
Flowd monitoring
This feature is supported on SRX 210 devices.
Chassis clustering supports the process of monitoring the health of the flowd process. A failed flowd process causes failover of redundancy group x to the secondary node.
SNMP failover traps
This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
Chassis clustering supports SNMP traps, which are triggered whenever there is a redundancy group failover. You can specify that a trace log be generated by using the set chassis cluster traceoptions flag snmp command.
SPU monitoring
This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
Chassis clustering supports the process of monitoring the health of the SPUs and of the central point (CP). A single, failed SPU causes failover of redundancy group x to the secondary node. A central point failure triggers failover to the secondary node.

Intrusion Detection and Prevention (IDP)

Configuring IDP test conditions in custom anomaly attacks
This feature is supported on SRX 210, SRX 240, SRX650, SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
The user can now see the supported test conditions for a protocol in the CLI.
When configuring IDP custom attacks, you can now list supported test conditions for a specific protocol. For example, to configure test conditions for ICMP:
1. List supported test conditions for ICMP and choose the one you want to configure:
  [edit security idp custom-attack test1 attack-type anomaly]
  user@host# set test icmp?
  Possible completions: <test> Protocol anomaly condition to be checked ADDRESSMASK_REQUEST DIFF_CHECKSUM_IN_RESEND DIFF_CHECKSUM_IN_RESPONSE DIFF_LENGTH_IN_RESEND
2. Configure the service for which you want to configure the test condition.
  [edit security idp custom-attack test1 attack-type anomaly]
  
  user@host# set service ICMP
3. Configure the test condition (specifying the protocol name is not required):
  [edit security idp custom-attack test1 attack-type anomaly]
  
  user@host# set test ADDRESSMASK_REQUEST

Interfaces and Routing

Class of Service (CoS)
This feature is now supported on SRX 210, SRX 240, and SRX650 devices. Existing support on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
CoS allows you to divide traffic into classes and specify various levels of throughput and packet loss when congestion occurs. This allows packet loss to happen occur according to the rules you configure. For more information about the JUNOS implementation of CoS and about configuring CoS, see the JUNOS Software Interfaces and Routing Configuration Guide.
Configuring simple filters and policers
This feature is supported on SRX 3400 and SRX 3600 devices.
To handle oversubscribed traffic in the SRX 3400 and SRX 3600 series devices, you can configure simple filters and policing. The simple filter functionality comprises of the following:
Classifying packets according to configured policies
Taking appropriate actions based on the results of classification
Intermediate System-to-Intermediate System (IS-IS)
This feature is supported on SRX 210, SRX 240, SRX650, SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
IS-IS protocol, a classless interior routing protocol developed by the International Organization for Standardization (ISO) as part of the development of the Open Systems Interconnection (OSI) protocol suite. Like OSPF routing, IS-IS uses hello packets that allow network convergence to occur quickly when network changes are detected.
For more information about the IS-IS protocol and about configuring IS-IS, see the JUNOS Software Interfaces and Routing Configuration Guide.
Jumbo frame support
This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
Jumbo frames, or 9192 byte MTUs, on Gigabit Ethernet interfaces and 10-Gigabit Ethernet interfaces. To configure jumbo frame support, see the JUNOS Software Interfaces and Routing Configuration Guide.
Layer 2 bridging and transparent mode
This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
This release provides Layer 2 bridging with transparent mode. Transparent mode provides full security services on top of Layer 2 bridging functions. An SRX services gateway operates in Layer 2 transparent mode when all physical interfaces on the device are configured as Layer 2 logical interfaces. There is no command to enable transparent mode on the device.
Note: You cannot define both Layer 2 and Layer 3 logical interfaces on a physical interface.
To configure a Layer 2 logical interface, use the unit statement at the [edit interfaces] hierarchy, and configure the logical interface with the bridge family type. You can configure the logical interface as an access or a trunk interface.
A bridge domain is a set of logical interfaces that share the same flooding or broadcast characteristics. You can configure a set of bridge domains that are associated with a trunk interface. The set of bridge domains then functions as a switch: a packet received on a trunk interface is forwarded based on the VLAN ID (a packet is forwarded within the bridge domain that has the same VLAN ID as the packet) and destination MAC. VLAN-based MAC learning, forwarding, and aging are supported. To configure a bridge domain, use the [edit bridge-domains] hierarchy to specify the VLAN ID(s) for packets that will be forwarded on the bridge domain.
Note: In this release, Layer 2 bridging does not support STP. It is the user’s responsibility to ensure that no flooding loops exist in the network topology.
You can optionally configure an integrated routing and bridging (IRB) interface for management traffic on the device. For this release, the IRB interface does not support traffic forwarding or routing. To configure an IRB interface, create an irb logical interface in the [edit interfaces] hierarchy, and then reference the IRB interface in the [edit bridge-domains] hierarchy.
When packets are forwarded through a bridge domain, security policies can be applied between Layer 2 security zones. To create Layer 2 security zones, use the security-zone statement at the [edit security zones] hierarchy, and specify the interfaces that belong to the zone. (The IRB interface cannot be assigned to any security zone.) You can configure screen options, address books, or TCP-RST for Layer 2 security zones.
Note: You can configure the same screen options for a Layer 2 security zone as for a Layer 3 security zone, with the exception of IP spoofing.
You configure a transparent mode security policy in the same way as for policies configured for Layer 3 zones, with the following exceptions:
NAT is not supported
Layer 2 IPsec VPN is not supported
ALGs are not supported
IDP policies are not supported for Layer 2 traffic
To configure a transparent mode security policy, use the [edit security policies] hierarchy.
Note: Chassis clustering of SRX devices in transparent mode is not supported in this release.
For more information, see the JUNOS Software Interfaces and Routing Configuration Guide.
3G wireless network connections
This feature is supported on SRX 210 devices.
This release allows SRX 210 devices to use 3G networks as primary or backup WAN links. Juniper supports the following 3G wireless modem cards installed in the ExpressCard slot of the SRX 210 services gateway:
Sierra Wireless AirCard Global System for Mobile communications (GSM) High-Speed Downlink Packet Access (HSDPA) ExpressCard
Sierra Wireless AirCard Code-Division Multiple Access (CDMA) 1xEvolution-Data Optimized (EV-DO) rev. A ExpressCard
The physical interface cl-0/0/8 is created automatically when the 3G modem is installed in the SRX 210 services gateway. To configure the interface, use the set interfaces cl-0/0/8 statement at the [set interfaces] hierarchy level. To configure the logical dialer interface, use the set interfaces dln statement at the [set interfaces] hierarchy level. For more information, see the JUNOS Software Interfaces and Routing Configuration Guide.
Multicast Interfaces
This feature is supported on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
Multicast traffic streams between a single source and multiple destinations. In Protocol Independent Multicast (PIM) sparse mode, the first-hop routing platform encapsulates packets destined for the rendezvous point device. The packets are encapsulated with a unicast header and are forwarded through a unicast tunnel to the rendezvous point. The rendezvous point then de-encapsulates the packets and transmits them through its multicast tree.
Within a device, packets are routed to the PIM interfaces pe-0/0/0 for encapsulation and pd-0/0/0 for de-encapsulation. These interfaces are not associated with physical network interfaces and are created internally when you issue the set protocol pim command. You must configure PIM with the [edit protocols pim] hierarchy to perform PIM encapsulation or de-encapsulation.
For more information about multicast protocols and configuring multicast protocols on Juniper Networks devices, see the JUNOS Multicast Protocols Configuration Guide

IPsec

IPsec multiple flow thread architecture
This feature is now supported on SRX 210, SRX 240 and SRX650 devices. Existing support on SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
These devices provide a multiple flow thread architecture that results in increased IPsec performance. For more information, see the JUNOS Software Security Configuration Guide.
Dynamic VPN
This feature is supported on SRX 210 and SRX 240 devices.
The dynamic VPN feature uses Internet Protocol Security (IPsec) technology to create secure VPN tunnels. This feature simplifies remote access by enabling users to establish VPN tunnels without having to manually configure VPN settings on their PCs or laptops. Instead, the client is dynamically delivered to users from the SRX 210 or SRX 240 devices upon successful authentication. This Layer 3 remote access client uses client-side configuration settings that it receives from the server to create and manage a secure VPN tunnel to the server. For more information, see the JUNOS Software Security Configuration Guide.

Management and Administration

Support for the TFTPBOOT installation method
This feature is supported on SRX 210 devices.
You install the JUNOS software by using the Trivial File Transfer Protocol BOOT (TFTPBOOT) method. During installation of the JUNOS software, the secondary boot loader in the services gateway retrieves the JUNOS software package from a TFTP server. The software image is then installed on the internal flash. Using TFTP installation to install a new image will wipe out any user-generated configurations on the router. The router will come up with the factory default configuration.
Note: The TFTPBOOT method can be used only on LANs.
To install the software image on the internal flash, issue the following command at the loader prompt.
Loader > install URL
where URL is tftp://<tftp server ip> <package name>
You can use the TFTPBOOT method in the following scenarios:
To bring up the SRX 210 services gateway if the standard boot process fails
To install the JUNOS software on the SRX 210 services gateway for the first time
To start JUNOS without using the NAND flash
For more information about the other installation methods, see the JUNOS Software Administration Guide for Security Devices.

Security

Unified Access Control (UAC) integration
This feature is now supported on SRX 240, and SRX650 devices. Existing support on SRX 210, SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
You can configure an SRX-series services gateway to act as a JUNOS Enforcer in a Unified Access Control (UAC) deployment. When deployed as a JUNOS Enforcer, the SRX-series device enforces the policies that are defined on the UAC’s Infranet Controller. To configure the SRX-series device as a JUNOS Enforcer, enable the application-services statement at the [edit security policies from-zone zone-name to-zone zone-name policy match then permit] hierarchy level. Then use the unified-access-control statement at the [edit services] hierarchy level to configure UAC features. For more information, see the JUNOS Software Security Configuration Guide.
Unified Threat Management (UTM) features
These features are supported on SRX 210, SRX 240, and SRX650 devices.
Antispam—E-mail spam consists of unwanted e-mail messages, usually sent by commercial, malicious, or fraudulent entities. The antispam feature examines transmitted e-mail messages to identify e-mail spam. When the device detects an e-mail message deemed to be spam, it either drops the message or tags the message header or subject field with a preprogrammed string.
The antispam feature uses a constantly updated spam block list (SBL). Sophos updates and maintains the IP-based SBL. The antispam feature is a separately licensed subscription service.
To configure antispam, use the antispam statement at the [set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.
Content filtering—Content filtering blocks or allows certain types of traffic based on the MIME type, file extension, protocol command, and embedded object type. Content filtering does not require a separate license.
To configure redirect content filtering, use the content-filtering statement at the [set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.
Express antivirus—Express antivirus scanning is offered as a less CPU intensive alternative to the full file-based antivirus feature. The express antivirus feature, like the full antivirus feature, scans specific Application Layer traffic for viruses against a virus signature database. However, unlike full antivirus, express antivirus does not reconstruct the original application content. Rather, it just sends (streams) the received data packets, as is, to the scan engine. With express antivirus, the virus scanning is executed by a hardware pattern matching engine. This improves performance while scanning is occurring, but the level of security provided is lessened. Juniper Networks provides the scan engine. The express antivirus scanning feature is a separately licensed subscription service.
To configure express antivirus, use the antivirus juniper-express-engine statement at the [set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.
Full file-based antivirus—A virus is executable code that infects or attaches itself to other executable code to reproduce itself. Some malicious viruses erase files or lock up systems. Other viruses merely infect files and overwhelm the target host or network with bogus data. The full file-based antivirus feature provides file-based scanning on specific Application Layer traffic checking for viruses against a virus signature database. It collects the received data packets until it has reconstructed the original application content, such as an e-mail file attachment, and then scans this content. Kaspersky Lab provides the internal scan engine. The full file-based antivirus scanning feature is a separately licensed subscription service.
To configure full file-based antivirus, use the antivirus kaspersky-lab-engine statement at the [set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.
Integrated Web filtering—Web filtering lets you manage Internet usage by preventing access to inappropriate Web content. With the integrated Web filtering solution, the decision-making for blocking or permitting Web access is done on the device after it identifies the category for a URL either from user-defined categories or from a category server (Websense provides the CPA Server). The integrated Web filtering feature is a separately licensed subscription service.
To configure integrated Web filtering, use the web-filtering surf-control-integrated statement at the [set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.
Redirect Web filtering—Web filtering lets you manage Internet usage by preventing access to inappropriate Web content. The redirect Web filtering solution intercepts HTTP requests and forwards the server URL to an external URL filtering server provided by Websense to determine whether to block or permit the requested Web access. Redirect Web filtering does not require a separate license.
To configure redirect Web filtering, use the web-filtering websense-redirect statement at the [set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.
UTM licensing—The majority of UTM features function as a subscription service requiring a license. You can redeem this license once you have purchased your subscription license SKUs.
To apply your UTM license, use the system license update statement at the [request] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.
Antivirus SNMP support—SNMP support is provided for the following antivirus functionality: scan engine monitoring, signature database update status, and scan statistics.
For more information, see the JUNOS Network Management Guide.

Hardware Features—SRX 210 Services Gateways

Hardware

JUNOS software for the SRX 210 services gateway integrates the world-class network security and routing capabilities of Juniper Networks. JUNOS software for the SRX 210 includes a wide range of security services, including policies, screens, Network Address Translation (NAT), and other flow-based services, that are also supported on the other SRX-series services gateways.

The SRX 210 services gateway offers features that provide complete functionality and flexibility for delivering secure Internet and intranet access. This services gateway offers stable, reliable, and efficient IP routing along with WAN and LAN connectivity. The gateway provides Internet Protocol Security (IPsec), virtual private network (VPN), and firewall services for small and medium companies and enterprise branch and remote offices.

The SRX 210 services gateway can be connected directly to traditional private networks, such as leased line, Frame Relay, and MPLS networks, or the public Internet.

There are three variants of the SRX 210 services gateway:

Low Memory
High Memory
Power over Ethernet (PoE)

The SRX 210 services gateway has redundant and resilient hardware. The following table provides the SRX 210 services gateway chassis specifications.

Table 3: SRX 210 Services Gateway Chassis Specifications

Description	Value
Chassis height	1 rack unit (U)
Chassis width	11 in. (280 mm)
Chassis depth	7 in. (179 mm)

The following table provides information about the SRX 210 services gateway hardware features.

Table 4: SRX 210 Services Gateway Hardware Features

Feature	Description
Gigabit Ethernet	Two ports on the front panel provide LAN and WAN connectivity to hubs, switches, local servers, and workstations with link speeds of 10/100/1000 Mbps. In the PoE version, the PoE is supported on both ports.
Fast Ethernet	Six ports on the front panel provide LAN and WAN connectivity to hubs, switches, local servers, and workstations with link speeds of 10/100 Mbps. In the PoE version, the PoE is supported on the first two Fast Ethernet ports.
Universal serial bus	Two ports on the front panel support a USB storage device that can function as a secondary boot device in the event of internal flash failure. USB ports also provide interfaces for communicating with peripherals such as USB storage devices and USB storage device adapters.
Console	One port on the front panel functions as a management port for directly logging into a device to configure it by using the CLI.
ExpressCards	One slot on the rear panel can hold a 3G wireless ExpressCard.
Mini-PIM	One slot on the front panel supports the following Mini-Physical Interface Modules (Mini-PIMs) to provide LAN and WAN functionality, along with access to the T1, E1, Gigabit Ethernet, ADSL, and Serial interfaces: T1/E1 Mini-PIM 1-port SFP Mini-PIM ADSL2+ Mini-PIM Serial Mini-PIM
External power supply	The total power consumption by the three SRX 210 services gateway variants is as follows: Low Memory—35.5 W @12 V High Memory—36.5 W @ 12 V PoE—36.5 W @ 12 V 50 W @ 48 V
Memory	Fixed Random Access: Low Memory—512 MB High Memory—1GB PoE—1GB Boot flash—4 MB Internal flash—1 GB

For more information, see the SRX 210 Services Gateway Hardware Guide.

Support for the 3G ExpressCard

Wireless WAN access is becoming widely available and comparable in cost to ISDN and DSL. The SRX 210 services gateway provides support for a wireless interface that serves both as a backup and as the primary WAN connection.

Juniper Networks supports 3G wireless modem cards that you can install into the ExpressCard slot in SRX 210 services gateways.

The 3G ExpressCard provides the following key features:

Operating mode selection—You can select the operating mode you want to use for the 3G ExpressCard. The supported operating modes are EVDO, HSPDA, and Automatic.
Activation of new cards through the CLI—You can activate CDMA ExpressCards through the JUNOS CLI.
Unlocking ExpressCards—You can unlock both CDMA and Global System for Mobile (GSM) ExpressCards through the JUNOS CLI.
Call logging support—Call logging provides details about the calling number, dialed number, direction and duration of the call, and traffic.

For more information, see the SRX 210 Services Gateway Hardware Guide.

Support for PoE

Power over Ethernet (PoE) is the implementation of the IEEE 802.3 AF standard, allowing both data and electric power to pass over a copper Ethernet LAN cable.

The SRX 210 services gateway supports PoE on Gigabit Ethernet ports. The PoE ports transfer electrical power, along with data, to remote devices over standard twisted-pair cable in an Ethernet network. PoE ports allow you to plug in devices that require both network connectivity and electric power, such as VOIP phones, wireless LAN access points, and IP telephones.

You can configure the gateway to act as power sourcing equipment to supply the power to powered devices connected on the designated ports.

The following table lists the SRX 210 services gateway PoE specifications.

Table 5: SRX 210 Services Gateway PoE Specifications

Power Management Schemes	Value
Supported standards	IEEE 802.3 AF Legacy (pre-standards)
Supported ports	PoE is supported on the two Gigabit Ethernet ports and two Fast Ethernet ports.
Total PoE power sourcing capacity	50 W
Per port power limit	15.4 W
Power management modes	Static: power allocated for each interface can be configured Class: power allocation for interfaces is decided based on the class of powered device connected

ADSL Interface Support on SRX 210

The SRX 210 services gateway provides a single-port ADSL2+ Mini-Physical Interface Module (Mini-PIM). The ADSL2+ Mini-PIM provides a single physical interface for ADSL network media types.

The ADSL2+ Mini-PIM supports the following operational modes:

ADSL mode for ANNEX-A
ADSL mode for ANNEX-B
ADSL mode for ANNEX-M

The ADSL interface provides the following key features:

Automatic configuration of the ADSL line after negotiation with the DSLAM, minimizing configuration
Supports ADSL, ADSL2, and ADSL2+ protocols on the same interface card
Gasp support
MLPPP over two ADSL cards
Asynchronous Transfer Mode (ATM) Adaptation Layer 5 (AAL5) encapsulation

For more information, see the JUNOS Software Interfaces and Routing Configuration Guide for Security Devices.

Support for the T1 and E1 Interfaces

The T1/E1 Mini-Physical Interface Module (Mini-PIM) provides the physical connection to T1 or E1 network media types and also performs T1 or E1 framing and line-speed signaling.

The T1 and E1 interfaces provide the following key features:

Integrated channel service unit (CSU) or data service unit (DSU) to eliminate the need for a separate external device.
56-Kbps and 64-Kbps operating modes
Independent internal and external clocking option
Alarm reporting with a 24-hour history
Loopback, bit error rate test (BERT), facilities data link [FDL (T1 only)], and Long Buildout (T1 only) diagnostics
Multilink Frame Relay and Multilink PPP support
Complete configuration and management by CLI and J-Web

For more information, see the JUNOS Software Interfaces and Routing Configuration Guide for Security Devices.

Support for Connectivity to a Gigabit Ethernet Device or Network

The 1-Port Small Form factor Pluggable (SFP) Mini-Physical Interface Module (Mini-PIM) provides connectivity to a single Gigabit Ethernet device or network.

The 1-Port SFP Mini-PIM provides the following key features:

Enables you to install and remove transceivers without powering down the device
Provides real-time visual status of connectivity and traffic flows
Provides Link Up/Down alarm
Supports different transceiver types

For more information, see the SRX 210 Services Gateway Hardware Guide.

Serial Mini-Physical Interface Module

Serial WAN links provide bidirectional links that require very few control signals. In a basic serial setup, the data circuit-terminating equipment (DCE) is responsible for establishing, maintaining, and terminating a connection. A modem is a typical DCE device. A serial cable connects the DCE to a telephony network where, ultimately, a link is established with data terminal equipment (DTE). DTE is typically where a link terminates.

Key Features

Autoselection of operation modes based on DTE or DCE cables
Local and remote loopback diagnostics
Configurable clock rate for the transmit (TX) clock and receive (RX) clock
Complete configuration and management by CLI and J-Web configuration editor

Hardware Features—SRX 240 Services Gateways

Hardware

JUNOS software for the SRX 240 services gateway integrates the world-class network security and routing capabilities of Juniper Networks products. JUNOS software for the SRX 240 services gateway includes a wide range of security services, including policies, screens, NAT, and other flow-based services that are also supported on the other SRX-series services gateways.
The SRX 240 device offers features that provide complete functionality and flexibility for delivering secure Internet and intranet access. The SRX 240 device offers stable, reliable, and efficient IP routing and WAN and LAN connectivity. The device provides IP Security (IPsec), virtual private network (VPN), and firewall services for small and medium companies and enterprise branch and remote offices.
The SRX 240 services gateway can be connected directly to a traditional private network such as leased line, Frame Relay, or Multi Protocol Label Switching (MPLS) networks as well as the public Internet.
There are three types of SRX 240 services gateways:
Low Memory
High Memory
PoE
Table 6 lists the hardware features supported on the SRX 240 services gateway.
Table 6: Hardware Features of the SRX 240 Services Gateway
Features
SRX 240 Services Gateway
Low Memory
SRX 240 Services Gateway
High Memory
SRX 240 Services Gateway
PoE
DDR Memory
512 MB
1 GB
1 GB
PoE Support
No
No
Yes
Input Power
119 W
128 W
317 W
AC input voltage
100 to 240 VAC
100 to 240 VAC
100 to 240 VAC
The SRX 240 services gateway has redundant and resilient hardware.
Table 7 describes the SRX 240 services gateway hardware specifications.
Table 7: Hardware Specifications of the SRX 240 Services Gateway
Description
Value
Chassis height
1 Rack Unit (U)
Chassis width
17.5 in (444 mm)
Chassis depth
16 in (408.23)
Maximum thermal output
SRX 240 Low Memory:
AC Power: 396 BTU/hour (116W)
DC Power: 338 BTU/hour (99W)
SRX 240 High Memory:
AC Power: 427 BTU/hour (125W)
DC Power: 365 BTU/hour (107W)
SRX 240 PoE:
AC Power: 560 BTU/hour (164W)
DC Power: 478 BTU/hour (140W)
Temperature
Normal operation ensured in temperature range of 32°F (0°C) to 104°F (–40°C)
Nonoperating storage temperature in shipping container: –40°F (–40°C) to 158°F (70°C)
Table 8 describes the SRX 240 services gateway hardware features.
Table 8: SRX 240 Services Gateway Hardware Features
Features
Description
Gigabit Ethernet
Sixteen ports on the front panel provide LAN and WAN connectivity to hubs, switches, local servers, and workstations with link speeds of 10/100/1000 Mbps.
Note: On the PoE version of the SRX 240 services gateway, all 16 Gigabit Ethernet ports support PoE.
Universal Serial Bus (USB)
Two ports on the front panel support a USB storage device that can function as a secondary boot device in the event of internal flash failure. USB ports also provide interfaces for communicating with peripherals such as USB storage devices and USB storage device adapters.
Console
One port on the front panel functions as a management port for directly logging into a device to configure it using the CLI.
Mini-PIM
Four slots on the front panel support the following Mini-Physical Interface Modules (Mini-PIMs) to provide LAN and WAN functionality, along with access to the T1, E1, Gigabit Ethernet, and ADSL interfaces:
T1/E1 Mini-PIM
1-port SFP Mini-PIM
ADSL2+ Mini-PIM
Serial Mini-PIM
Power supply
100 to 240 VAC (Integrated single AC power supply)
Memory
Fixed Random Access — 512 MB Memory (RAM)
Boot flash — 4 MB
Internal flash — 1 GB
For more information, see the SRX 240 Services Gateway Hardware Guide.

Features	SRX 240 Services Gateway Low Memory	SRX 240 Services Gateway High Memory	SRX 240 Services Gateway PoE
DDR Memory	512 MB	1 GB	1 GB
PoE Support	No	No	Yes
Input Power	119 W	128 W	317 W
AC input voltage	100 to 240 VAC	100 to 240 VAC	100 to 240 VAC

Description	Value
Chassis height	1 Rack Unit (U)
Chassis width	17.5 in (444 mm)
Chassis depth	16 in (408.23)
Maximum thermal output	SRX 240 Low Memory: AC Power: 396 BTU/hour (116W) DC Power: 338 BTU/hour (99W) SRX 240 High Memory: AC Power: 427 BTU/hour (125W) DC Power: 365 BTU/hour (107W) SRX 240 PoE: AC Power: 560 BTU/hour (164W) DC Power: 478 BTU/hour (140W)
Temperature	Normal operation ensured in temperature range of 32°F (0°C) to 104°F (–40°C) Nonoperating storage temperature in shipping container: –40°F (–40°C) to 158°F (70°C)

Features	Description
Gigabit Ethernet	Sixteen ports on the front panel provide LAN and WAN connectivity to hubs, switches, local servers, and workstations with link speeds of 10/100/1000 Mbps. Note: On the PoE version of the SRX 240 services gateway, all 16 Gigabit Ethernet ports support PoE.
Universal Serial Bus (USB)	Two ports on the front panel support a USB storage device that can function as a secondary boot device in the event of internal flash failure. USB ports also provide interfaces for communicating with peripherals such as USB storage devices and USB storage device adapters.
Console	One port on the front panel functions as a management port for directly logging into a device to configure it using the CLI.
Mini-PIM	Four slots on the front panel support the following Mini-Physical Interface Modules (Mini-PIMs) to provide LAN and WAN functionality, along with access to the T1, E1, Gigabit Ethernet, and ADSL interfaces: T1/E1 Mini-PIM 1-port SFP Mini-PIM ADSL2+ Mini-PIM Serial Mini-PIM
Power supply	100 to 240 VAC (Integrated single AC power supply)
Memory	Fixed Random Access — 512 MB Memory (RAM) Boot flash — 4 MB Internal flash — 1 GB

Serial Mini-Physical Interface Module

Key Features

Autoselection of operational modes based on DTE or DCE cables
Local and remote loopback diagnostics.
Configurable clock rate for transmit (TX) and receive (RX) clocks.
Complete configuration and management by CLI and J-Web configuration editor.

For more information, see the SRX 240 Services Gateway Hardware Guide.

Power Over Ethernet

Introduction

Power over Ethernet (PoE) is the implementation of the IEEE 802.3 AF standard, allowing both data and electric power to pass over a copper Ethernet LAN cable.

The SRX 240 services gateway supports PoE on Gigabit Ethernet ports. The PoE ports transfer electrical power, along with data, to remote devices over standard twisted-pair cable in an Ethernet network. PoE ports allow you to plug in devices that require both network connectivity and electric power, such as VOIP phones, wireless LAN access points, and IP telephones.

You can configure the gateway to act as power sourcing equipment to supply the power to powered devices connected on the designated ports.

SRX 240 Services Gateway PoE Specifications

Table 9 lists the SRX 240 Services Gateway PoE specifications:

Table 9: SRX 240 Services Gateway PoE Specifications

Power Management Schemes	Values
Supported standards	IEEE 802.3 AF IEEE 802.3 AT (draft) Legacy (pre-standards)
Supported ports	Supported on all sixteen Gigabit Ethernet ports
Total PoE power sourcing capacity	150 W
Per port power limit	30 W
Power management modes	Static: power allocated for each interface can be configured Class: power allocation for interfaces is decided based on the class of powered device connected

Hardware Features—SRX650 Services Gateways

Hardware

The SRX650 is a mid-range dynamic services gateway that consolidates network infrastructure and security applications for regional offices, large branch offices, and small to medium enterprises. The services gateway provides cost-effective, scalable integration of routing, security, and other mid-range applications for these sites.

The SRX650 services gateway has a modular 2U chassis that fits a 19-inch rack with a depth of approximately 18.1 inches. It contains a rear-pluggable Services and Routing Engine (SRE) module that improves processing performance for mid-range applications, particularly routing and firewall services.

The SRX650 services gateway provides the following features:

Symmetric Multiprocessing (SMP)-based data forwarding.
Hardware-based control and data plane separation.
4 on-board 10/100/1000Base-T Gigabit Ethernet ports.
A Services and Routing Engine with 1 GB memory configuration, which contains the management ports (console and USB) for the services gateway.
Support for dual AC power supplies with a redundant configuration in the chassis (approximately 645 W power supply is supported). The AC power supplies are hot-swappable.
Support for 2 GB CompactFlash (CF) storage devices. The SRE contains a hot-pluggable CF storage device used to upload and download files, and the chassis contains a CF storage device used to store the operating system.
JUNOS support for advanced security and routing services on the SRE.

Services and Routing Engine module—The Services and Routing Engine (SRE) module provides processing power for security services, routing protocol processes, and other software processes that control the services gateway interfaces, some of the chassis components, system management, and user access to the device.

The services gateway must have at least one SRE installed. You can install additional SREs to increase processing power or to create SRE redundancy. SREs install horizontally in the back of the chassis in slots SRE0 and SRE1/SRE1.1. An SRE weighs 3 lbs 13.6 oz (1.75 kg).

Caution: SREs are not Online Insertion and Removal (OIR) capable. You must power off the services gateway before removing or inserting an SRE.

Note: Slot SRE0 is a full-length slot capable of holding a full-slot module such as an SRE. The SRE1 and SRE1.1 slots are capable of holding either two half-slot modules or one full-slot module.

If a slot is not occupied by a card, a blank panel must be installed to shield the empty slot and to maintain proper cooling of the services gateway.

Note: For this release, the SRE must be installed into the lower slot (SRE0).

Gigabit-Backplane Pluggable Interface Modules—The SRX650 services gateway supports the following Gigabit-backplane Pluggable Interface Modules (GPIMs):

16-Port Gigabit Ethernet XGPIM
16-Port Gigabit Ethernet with PoE XGPIM
24-Port Gigabit Ethernet XPIM
24-Port Gigabit Ethernet with PoE XPIM
Dual T1/E1 GPIM-contains 2 fixed T1/E1 ports labeled 0 to 1 which supports framed clear channel

Quad T1/E1 GPIM-contains 4 fixed T1/E1 ports labeled 0 to 3 which supports framed clear channel
A GPIM is a network interface card that installs in the front slots of the services gateway to provide physical connections to a LAN or a WAN. The GPIM receives incoming packets from a network and transmits outgoing packets to a network.
PIM Terminology:
GPIM — Gigabit-backplane PIM (GPIM) includes standard GPIMs that are installed in a single high, single wide GPIM slot and has gigabit connectivity to the system backplane.
XGPIM — The XGPIM can only be installed in the 20-gigabit GPIM slots (slots 2 and 6 on the front panel).
XPIM — The XGPIM can only be installed in the 20-gigabit GPIM slots (slots 2 and 6 on the front panel).
Caution: GPIMs are not Online Insertion and Removal (OIR) capable. You must power off the services gateway before removing or inserting a GPIM. Ensure that the GPIM is installed in the appropriate GPIM slot before powering on the services gateway.
The services gateway GPIMs communicate with the backplane at various performance levels and might require specific GPIM slot placement. GPIM slots are located in the front of the chassis and can hold up to 8 standard GPIMs. The Dual T1/E1 GPIM and Quad T1/E1 GPIM can be plugged into any GPIM slot on the services gateway and provide the physical connection to T1 or E1 network media types. The SRX650 services gateway chassis can also hold GPIMs that use more than one standard slot:
Double-high single-wide, which uses two standard slots vertically
Double-high double-wide, which uses two vertical and two horizontal slots for a total of four standard slots
Note: When installing the 24-Port Gigabit Ethernet XPIM, which uses four slots, you must install it in the 20-gigabit GPIM slots 2 and 6, which refer to the bottom four slots 1 to 4, or the top four slots 5 to 8.
The Dual T1/E1 GPIM and Quad T1/E1 GPIM provide the following common key features for both T1 and E1 modes:
HDLC operating mode supports 56-Kbps and 64-Kbps
Independent internal and external clocking option
Alarm reporting with 24-hour history
MTU supports 9K bytes
The Dual T1/E1 GPIM and Quad T1/E1 GPIM provide the following key features specific to either T1 or E1 modes as listed in Table 10.
Table 10: Dual T1/E1 GPIM and Quad T1/E1 Specific T1 or E1 Features
Description
T1 Mode
E1 Mode
Operation modes
Framed clear channel
Fractional operation mode supports flexible configuration for time slots (numbered 1-24)
Framed clear channel (64-Kbps)
Unframed clear channel
Fractional operation mode supports flexible configuration for time slots (numbered 0-31)
Framing
Superframe (D4/SF)
Extended Superframe (ESF)
G704
G704 with no CRC4
G703 Unframed
Line encoding
B8ZS
AMI
HDB3

Description	T1 Mode	E1 Mode
Operation modes	Framed clear channel Fractional operation mode supports flexible configuration for time slots (numbered 1-24)	Framed clear channel (64-Kbps) Unframed clear channel Fractional operation mode supports flexible configuration for time slots (numbered 0-31)
Framing	Superframe (D4/SF) Extended Superframe (ESF)	G704 G704 with no CRC4 G703 Unframed
Line encoding	B8ZS AMI	HDB3

USB Support

The following USB devices have been tested with SRX650 devices:

Sandisk micro (1 and 2 GB)
Lexar (1 and 2 GB)
Note: Contact a customer service representative for more information on supported USB devices.

Power over Ethernet

Both 16-Port XGPIM and 24-Port XPIM support Power over Ethernet (PoE) if a PoE-capable power supply and PIM module are installed in the chassis. PoE is the implementation of the IEEE 802.3 AF standard, which allows both data and electric power to pass over a copper Ethernet LAN cable. The active Services and Routing Engine (SRE) manages the overall system PoE power.

The SRX650 services gateway provides PoE ports, which supply electric power over the same ports that are used to connect network devices. PoE ports allow you to plug in devices that require both network connectivity and electric power, such as VOIP, IP phones, and wireless access points. You can configure the services gateway to act as power sourcing equipment to supply the power to the GPIMs connected on the designated PoE ports.

Table 11 lists the SRX650 Services Gateway PoE Specifications.

Table 11: SRX650 Services Gateway PoE Specifications

Power Management Schemes	Values
Supported standards	IEEE 802.3 AF IEEE 802.3 AT Legacy (pre-standards)
Supported slots	PoE is supported on the following front panel slots: 2 4 6 8
Total PoE power sourcing capacity	250 W with one power supply 500 W with two power supplies
Per-port power limit	31.2 W
Power management modes	Static: power allocated for each interface can be configured Class: power allocation for interfaces is decided based on the class of powered device connected

For more information, see the SRX650 Services Gateway Hardware Guide.

Hardware Features—SRX 5600 and SRX 5800 Services Gateways

Flex I/O Card

This release of JUNOS supports the new SRX5K-FPC-IOC modular Flex I/O Card (IOC) for the SRX 5600 and SRX 5800 services gateways.

Flex IOCs are IOCs that have two slots and accept port modules that add Ethernet ports to your services gateway. A flex IOC with port modules installed in it functions in the same way as a regular IOC, but allows greater flexibility in adding different types of Ethernet ports to your services gateway.

Table 12 lists the Port Modules for SRX 5600 and SRX 5800 services gateway Flex IOC.

Table 12: Port Modules for SRX 5600 and SRX 5800 Services Gateway Flex IOC

Module	Port type	Ports
SRX-IOC-16GE-TX	10/100/1000 RJ-45	16
SRX-IOC-4XGE-XFP	10 Gigabit XFP	4

Note: A third port module type, the SRX-IOC-16GE-SFP, is described in the SRX 5600 Services Gateway Hardware Guide and SRX 5800 Services Gateway Hardware Guide, but this is not available in the 9.5 release.

New Features in JUNOS Software Release 9.5 for SRX-series Services Gateways

Software Features

Application Layer Gateways (ALGs)

Chassis Clustering

Intrusion Detection and Prevention (IDP)

Interfaces and Routing

IPsec

Management and Administration

Security

Hardware Features—SRX 210 Services Gateways

Hardware

Support for the 3G ExpressCard

Support for PoE

ADSL Interface Support on SRX 210

Support for the T1 and E1 Interfaces

Support for Connectivity to a Gigabit Ethernet Device or Network

Serial Mini-Physical Interface Module

Hardware Features—SRX 240 Services Gateways

Hardware

Serial Mini-Physical Interface Module

Power Over Ethernet

Hardware Features—SRX650 Services Gateways

Hardware

USB Support

Power over Ethernet

Hardware Features—SRX 5600 and SRX 5800 Services Gateways

Flex I/O Card

Related Topics