Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

What's New

 

This section describes new features as well as enhancements to existing features starting in Junos OS Release 20.2R1 for cSRX support.

Licensing

  • Juniper Agile Licensing support for cSRX—Starting in cSRX 20.2R1, Juniper Agile Licensing supports the cSRX Container Firewall, a containerized version of the SRX Series Services Gateway.

    Juniper Agile Licensing provides simplified and centralized license administration and deployment. Using Juniper Agile Licensing, you can install and manage licenses for hardware and software features.

    You require new license keys to use the licenses for cSRX Container Firewall features. Contact Customer Care for exchanging license keys earlier than cSRX 20.2R1.

    [See Flex Software Subscription Model Support, Juniper Agile Licensing Guide, and Managing cSRX Licenses]

Security

  • Contrail network support (cSRX)—Starting in Junos OS Release 20.2R1, we have integrated cSRX Container Firewall into a Contrail network as a distributed host-based firewall service on a Docker container. Using this deployment, you can obtain agile, elastic, and cost-saving security services.

    The new virtual solution provides the following capabilities:

    • Layer 7 security protection (antivirus, application firewall, IPS, application identification, URL filtering, user firewall, UTM content and Web filtering only)

    • Automated service provisioning and orchestration

    • Distributed and multitenant traffic securing

    • Centralized management with Junos Space Security Director, including dynamic policy and address update, remote log collections, and security events monitoring

    • Scalable security services with small footprints

    [See cSRX as Contrail Host-based Firewall User Guide.]

Supported Features

The cSRX Container Firewall inherits many of the branch SRX Series Junos OS features. This topic outlines the SRX Series features supported by cSRX along with the features that are not supported in a containerized environment.

SRX Series Features Supported on cSRX

Table 1 provides a high-level summary of the feature categories supported on cSRX and any feature considerations.

To determine the Junos OS features supported on cSRX, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. See Feature Explorer.

Table 1: SRX Series Features Supported on cSRX

Feature

Considerations

Application Firewall (AppFW)

Application Firewall Overview

Application Identification (AppID)

Understanding Application Identification Techniques

Application Tracking (AppTrack)

Understanding AppTrack

Basic firewall policy

Understanding Security Basics

Brute force attack mitigation

-

Central management

CLI and Security Director only. No J-Web support.

DDoS protection

DoS Attack Overview

DoS protection

DoS Attack Overview

Interfaces

Upto 15 revenue interfaces

Network Interfaces

Intrusion Detection and Prevention (IDP)

For SRX Series IPS configuration details, see:

Understanding Intrusion Detection and Prevention for SRX Series

IPv4 and IPv6

Understanding IPv4 Addressing

Understanding IPv6 Address Space

Jumbo frames

Understanding Jumbo Frames Support for Ethernet Interfaces

Malformed packet protection

-

Network Address Translation (NAT)

For SRX Series NAT configuration details, see:

Introduction to NAT

Routing

Basic Layer 3 forwarding with VLANs.

Layer 2 through 3 forwarding functions: secure-wire forwarding or static routing forwarding.

SYN cookie protection

Understanding SYN Cookie Protection

User firewall

For SRX Series user firewall configuration details, see:

Overview of Integrated User Firewall

Unified Threat Management (UTM)

For SRX Series UTM configuration details, see:

Unified Threat Management Overview

For SRX Series UTM antispam configuration details, see:

Antispam Filtering Overview

Zones and zone-based IP spoofing

Understanding IP Spoofing

SRX Series Features Not Supported on cSRX

Table 2 lists SRX Series features that are not applicable in a containerized environment, that are not currently supported, or that have qualified support on cSRX.

Table 2: SRX Series Features Not Supported on cSRX

                                              

SRX Series Feature

Application Layer Gateways

Avaya H.323

Authentication with IC Series Devices

Layer 2 enforcement in UAC deployments

Note: UAC-IDP and UAC-UTM also are not supported.

Class of Service

High-priority queue on SPC

Tunnels

Data Plane Security Log Messages (Stream Mode)

TLS protocol

Diagnostics Tools

Flow monitoring cflowd version 9

Ping Ethernet (CFM)

Traceroute Ethernet (CFM)

DNS Proxy

Dynamic DNS

Ethernet Link Aggregation

LACP in standalone or chassis cluster mode

Layer 3 LAG on routed ports

Static LAG in standalone or chassis cluster mode

Ethernet Link Fault Management

Physical interface (encapsulations)

ethernet-ccc

ethernet-tcc

extended-vlan-ccc

extended-vlan-tcc

Interface family

ccc, tcc

ethernet-switching

Flow-Based and Packet-Based Processing

End-to-end packet debugging

Network processor bundling

Services offloading

Interfaces

Aggregated Ethernet interface

IEEE 802.1X dynamic VLAN assignment

IEEE 802.1X MAC bypass

IEEE 802.1X port-based authentication control with multisupplicant support

Interleaving using MLFR

PoE

PPP interface

PPPoE-based radio-to-router protocol

PPPoE interface

Promiscuous mode on interfaces

IPSec and VPNs

Not supported

IPv6 Support

DS-Lite concentrator (also known as AFTR)

DS-Lite initiator (also known as B4)

Log File Formats for System (Control Plane) Logs

Binary format (binary)

WELF

Miscellaneous

AppQoS

Chassis cluster

GPRS

Hardware acceleration

High availability

J-Web

Logical systems

MPLS

Outbound SSH

Remote instance access

RESTCONF

Juniper Sky ATP

SNMP

Spotlight Secure integration

USB modem

Wireless LAN

MPLS

CCC and TCC

Layer 2 VPNs for Ethernet connections

Network Address Translation

Maximize persistent NAT bindings

Packet Capture

Packet capture

Routing

BGP extensions for IPv6

BGP Flowspec

BGP route reflector

Bidirectional Forwarding Detection (BFD) for BGP

CRTP

Switching

Layer 3 Q-in-Q VLAN tagging

Transparent Mode

UTM

Unified Threat Management

Express AV

Kaspersky AV

Upgrading and Rebooting

Autorecovery

Boot instance configuration

Boot instance recovery

Dual-root partitioning

OS rollback

User Interfaces

NSM

SRC application

Junos Space Virtual Director