This section describes new features as well as enhancements to existing features starting in Junos OS Release 20.2R1 for cSRX support.
Juniper Agile Licensing support for cSRX—Starting in cSRX 20.2R1, Juniper Agile Licensing supports the cSRX Container Firewall, a containerized version of the SRX Series Services Gateway.
Juniper Agile Licensing provides simplified and centralized license administration and deployment. Using Juniper Agile Licensing, you can install and manage licenses for hardware and software features.
You require new license keys to use the licenses for cSRX Container Firewall features. Contact Customer Care for exchanging license keys earlier than cSRX 20.2R1.
Contrail network support (cSRX)—Starting in Junos OS Release 20.2R1, we have integrated cSRX Container Firewall into a Contrail network as a distributed host-based firewall service on a Docker container. Using this deployment, you can obtain agile, elastic, and cost-saving security services.
The new virtual solution provides the following capabilities:
Layer 7 security protection (antivirus, application firewall, IPS, application identification, URL filtering, user firewall, UTM content and Web filtering only)
Automated service provisioning and orchestration
Distributed and multitenant traffic securing
Centralized management with Junos Space Security Director, including dynamic policy and address update, remote log collections, and security events monitoring
Scalable security services with small footprints
The cSRX Container Firewall inherits many of the branch SRX Series Junos OS features. This topic outlines the SRX Series features supported by cSRX along with the features that are not supported in a containerized environment.
SRX Series Features Supported on cSRX
Table 1 provides a high-level summary of the feature categories supported on cSRX and any feature considerations.
To determine the Junos OS features supported on cSRX, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. See Feature Explorer.
Table 1: SRX Series Features Supported on cSRX
Application Firewall (AppFW)
Application Identification (AppID)
Application Tracking (AppTrack)
Basic firewall policy
Brute force attack mitigation
CLI and Security Director only. No J-Web support.
Upto 15 revenue interfaces
Intrusion Detection and Prevention (IDP)
For SRX Series IPS configuration details, see:
IPv4 and IPv6
Malformed packet protection
Network Address Translation (NAT)
For SRX Series NAT configuration details, see:
Basic Layer 3 forwarding with VLANs.
Layer 2 through 3 forwarding functions: secure-wire forwarding or static routing forwarding.
SYN cookie protection
For SRX Series user firewall configuration details, see:
Unified Threat Management (UTM)
For SRX Series UTM configuration details, see:
For SRX Series UTM antispam configuration details, see:
Zones and zone-based IP spoofing
SRX Series Features Not Supported on cSRX
Table 2 lists SRX Series features that are not applicable in a containerized environment, that are not currently supported, or that have qualified support on cSRX.
Table 2: SRX Series Features Not Supported on cSRX
SRX Series Feature
|Application Layer Gateways|
|Authentication with IC Series Devices|
Layer 2 enforcement in UAC deployments
Note: UAC-IDP and UAC-UTM also are not supported.
|Class of Service|
High-priority queue on SPC
|Data Plane Security Log Messages (Stream Mode)|
Flow monitoring cflowd version 9
Ping Ethernet (CFM)
Traceroute Ethernet (CFM)
|Ethernet Link Aggregation|
LACP in standalone or chassis cluster mode
Layer 3 LAG on routed ports
Static LAG in standalone or chassis cluster mode
|Ethernet Link Fault Management|
Physical interface (encapsulations)
|Flow-Based and Packet-Based Processing|
End-to-end packet debugging
Network processor bundling
Aggregated Ethernet interface
IEEE 802.1X dynamic VLAN assignment
IEEE 802.1X MAC bypass
IEEE 802.1X port-based authentication control with multisupplicant support
Interleaving using MLFR
PPPoE-based radio-to-router protocol
Promiscuous mode on interfaces
|IPSec and VPNs|
DS-Lite concentrator (also known as AFTR)
DS-Lite initiator (also known as B4)
|Log File Formats for System (Control Plane) Logs|
Binary format (binary)
Remote instance access
Juniper Sky ATP
Spotlight Secure integration
CCC and TCC
Layer 2 VPNs for Ethernet connections
|Network Address Translation|
Maximize persistent NAT bindings
BGP extensions for IPv6
BGP route reflector
Bidirectional Forwarding Detection (BFD) for BGP
Layer 3 Q-in-Q VLAN tagging
|Unified Threat Management|
|Upgrading and Rebooting|
Boot instance configuration
Boot instance recovery
Junos Space Virtual Director