ON THIS PAGE
What's New
This section describes new features as well as enhancements to existing features starting in Junos OS Release 20.1R1 for cSRX support.
Monitoring and Troubleshooting
System logs and real-time logs support (cSRX)—Starting in Junos OS Release 20.1R1, cSRX supports system log messages (syslog messages) and real-time logs (rtlogs) to monitor traffic.
[See Junos OS System Log Overview and Understanding Stream Logging for Security Devices.]
Supported Features
The cSRX Container Firewall inherits many of the branch SRX Series Junos OS features. This topic outlines the SRX Series features supported by cSRX along with the features that are not applicable in a containerized environment.
SRX Series Features Supported on cSRX
Table 1 provides a high-level summary of the feature categories supported on cSRX and any feature considerations.
To determine the Junos OS features supported on cSRX, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. See Feature Explorer.
Table 1: SRX Series Features Supported on cSRX
Feature | Considerations |
|---|---|
Application Firewall (AppFW) | |
Application Identification (AppID) | |
Application Tracking (AppTrack) | |
Basic firewall policy | |
Brute force attack mitigation | - |
Central management | CLI only. No J-Web support. |
DDoS protection | |
DoS protection | |
Interfaces | Two revenue network interfaces (eth1 and eth2). |
Intrusion Detection and Prevention (IDP) | For SRX Series IPS configuration details, see: Understanding Intrusion Detection and Prevention for SRX Series |
IPv4 and IPv6 | |
Jumbo frames | |
Malformed packet protection | - |
Network Address Translation (NAT) | For SRX Series NAT configuration details, see: |
Routing | Basic Layer 3 forwarding with VLANs. Layer 2 through 3 forwarding functions: secure-wire forwarding or static routing forwarding. |
SYN cookie protection | |
User firewall | For SRX Series user firewall configuration details, see: |
Unified Threat Management (UTM) | For SRX Series UTM configuration details, see: Unified Threat Management Overview For SRX Series UTM antispam configuration details, see: |
Zones and zone-based IP spoofing |
SRX Series Features Not Supported on cSRX
Table 2 lists SRX Series features that are not applicable in a containerized environment, that are not currently supported, or that have qualified support on cSRX.
Table 2: SRX Series Features Not Supported on cSRX
| SRX Series Feature |
|---|---|
| Application Layer Gateways | |
Avaya H.323 | |
| Authentication with IC Series Devices | |
Layer 2 enforcement in UAC deployments Note: UAC-IDP and UAC-UTM also are not supported. | |
| Class of Service | |
High-priority queue on SPC | |
Tunnels | |
| Data Plane Security Log Messages (Stream Mode) | |
TLS protocol | |
| Diagnostics Tools | |
Flow monitoring cflowd version 9 | |
Ping Ethernet (CFM) | |
Traceroute Ethernet (CFM) | |
| DNS Proxy | |
Dynamic DNS | |
| Ethernet Link Aggregation | |
LACP in standalone or chassis cluster mode | |
Layer 3 LAG on routed ports | |
Static LAG in standalone or chassis cluster mode | |
| Ethernet Link Fault Management | |
Physical interface (encapsulations) | |
ethernet-ccc | |
extended-vlan-ccc | |
Interface family | |
ccc, tcc | |
ethernet-switching | |
| Flow-Based and Packet-Based Processing | |
End-to-end packet debugging | |
Network processor bundling | |
Services offloading | |
| Interfaces | |
Aggregated Ethernet interface | |
IEEE 802.1X dynamic VLAN assignment | |
IEEE 802.1X MAC bypass | |
IEEE 802.1X port-based authentication control with multisupplicant support | |
Interleaving using MLFR | |
PoE | |
PPP interface | |
PPPoE-based radio-to-router protocol | |
PPPoE interface | |
Promiscuous mode on interfaces | |
| IP Security and VPNs | |
Acadia - Clientless VPN | |
DVPN | |
Hardware IPsec (bulk crypto) Cavium/RMI | |
IPsec tunnel termination in routing instances | |
Multicast for AutoVPN | |
Suite B implementation for IPsec VPN | |
| IPv6 Support | |
DS-Lite concentrator (also known as AFTR) | |
DS-Lite initiator (also known as B4) | |
| Log File Formats for System (Control Plane) Logs | |
Binary format (binary) | |
WELF | |
| Miscellaneous | |
AppQoS | |
Chassis cluster | |
GPRS | |
Hardware acceleration | |
High availability | |
J-Web | |
Logical systems | |
MPLS | |
Outbound SSH | |
Remote instance access | |
RESTCONF | |
Juniper Sky ATP | |
SNMP | |
Spotlight Secure integration | |
USB modem | |
Wireless LAN | |
| MPLS | |
CCC and TCC | |
Layer 2 VPNs for Ethernet connections | |
| Network Address Translation | |
Maximize persistent NAT bindings | |
| Packet Capture | |
Packet capture Note: Only supported on physical interfaces and tunnel interfaces, such as gr, ip, and st0. Packet capture is not supported on a redundant Ethernet interface (reth). | |
| Routing | |
BGP extensions for IPv6 | |
BGP Flowspec | |
BGP route reflector | |
Bidirectional Forwarding Detection (BFD) for BGP | |
CRTP | |
| Switching | |
Layer 3 Q-in-Q VLAN tagging | |
| Transparent Mode | |
UTM | |
| Unified Threat Management | |
Express AV | |
Kaspersky AV | |
| Upgrading and Rebooting | |
Autorecovery | |
Boot instance configuration | |
Boot instance recovery | |
Dual-root partitioning | |
OS rollback | |
| User Interfaces | |
NSM | |
SRC application | |
Junos Space Virtual Director | |