Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Junos OS Features Supported on cSRX

    cSRX provides Layer 4 through 7 secure services in a containerized environment.

    Note: While the security services features between cSRX and vSRX are similar, there are scenarios in which each product is the optimal option in your environment. For example, the cSRX does not support routing instances and protocols, switching features, MPLS LSPs and MPLS applications, chassis cluster, and software upgrade features. For environments that require routing or switching, a vSRX VM provides the best feature set. For environments focused on security services in a Docker containerized deployment, cSRX is a better fit.

    This section presents an overview of the Junos OS features on cSRX. It includes

    Supported SRX Series Features on cSRX

    Table 1 provides a high-level summary of the feature categories supported on cSRX and any feature considerations.

    To determine the Junos OS features supported on cSRX, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. See Feature Explorer.

    Table 1: SRX Series Features Supported on cSRX



    Application Firewall (AppFW)

    Application Firewall Overview

    Application Identification (AppID)

    Understanding Application Identification Techniques

    Application Tracking (AppTrack)

    Understanding AppTrack

    Basic firewall policy

    Understanding Security Basics

    Brute force attack mitigation

    Central management

    CLI only. No J-Web support.

    DDoS protection

    DoS Attack Overview

    DoS protection

    DoS Attack Overview


    Two revenue network interfaces (eth1, and eth2).

    Network Interfaces

    Intrusion Detection and Prevention (IDP)

    For SRX Series IPS configuration details, see:

    Understanding Intrusion Detection and Prevention for SRX Series

    IPv4 and IPv6

    Understanding IPv4 Addressing

    Understanding IPv6 Address Space

    Jumbo frames

    Understanding Jumbo Frames Support for Ethernet Interfaces

    Malformed packet protection

    Network Address Translation (NAT)

    Includes support for all NAT functionality on the cSRX platform, such as:

    • Source NAT

    • Destination NAT

    • Static NAT

    • Persistent NAT and NAT64

    • NAT hairpinning

    • NAT for multicast flows

    For SRX Series NAT configuration details, see:

    Introduction to NAT


    Basic Layer 3 forwarding with VLANs.

    Layer 2 through 3 forwarding functions: secure-wire forwarding or static routing forwarding

    SYN cookie protection

    Understanding SYN Cookie Protection

    User Firewall

    Includes support for all user firewall functionality on the cSRX platform, such as:

    • Policy enforcement with matching source identity criteria

    • Logging with source identity information

    • Integrated user firewall with active directory

    • Local authentication

    For SRX Series user firewall configuration details, see:

    Overview of Integrated User Firewall

    Unified Threat Management (UTM)

    Includes support for all UTM functionality on the cSRX platform, such as:

    • Antispam

    • Sophos Antivirus

    • Web filtering

    • Content filtering

    For SRX Series UTM configuration details, see:

    Unified Threat Management Overview

    For SRX Series UTM antispam configuration details, see:

    Antispam Filtering Overview

    Zones and zone-based IP spoofing

    Understanding IP Spoofing

    SRX Series Features Not Supported on cSRX

    Table 2 lists SRX Series features that are not applicable in a containerized environment, that are not currently supported, or that have qualified support on cSRX.

    Table 2: SRX Series Features Not Supported on cSRX


    SRX Series Feature

    Application Layer Gateways

    Avaya H.323

    Authentication with IC Series Devices

    Layer 2 enforcement in UAC deployments

    Note: UAC-IDP and UAC-UTM also are not supported.

    Class of Service

    High-priority queue on SPC


    Data Plane Security Log Messages (Stream Mode)

    TLS protocol

    Diagnostics Tools

    Flow monitoring cflowd version 9

    Ping Ethernet (CFM)

    Traceroute Ethernet (CFM)

    DNS Proxy

    Dynamic DNS

    Ethernet Link Aggregation

    LACP in standalone or chassis cluster mode

    Layer 3 LAG on routed ports

    Static LAG in standalone or chassis cluster mode

    Ethernet Link Fault Management

    Physical interface (encapsulations)



    Interface family

    ccc, tcc


    Flow-Based and Packet-Based Processing

    End-to-end packet debugging

    Network processor bundling

    Services offloading


    Aggregated Ethernet interface

    IEEE 802.1X dynamic VLAN assignment

    IEEE 802.1X MAC bypass

    IEEE 802.1X port-based authentication control with multisupplicant support

    Interleaving using MLFR


    PPP interface

    PPPoE-based radio-to-router protocol

    PPPoE interface

    Promiscuous mode on interfaces

    IP Security and VPNs

    Acadia - Clientless VPN


    Hardware IPsec (bulk crypto) Cavium/RMI

    IPsec tunnel termination in routing instances

    Multicast for AutoVPN

    Suite B implementation for IPsec VPN

    IPv6 Support

    DS-Lite concentrator (also known as AFTR)

    DS-Lite initiator (also known as B4)

    Log File Formats for System (Control Plane) Logs

    Binary format (binary)




    Chassis cluster


    Hardware acceleration

    High availability


    Logical systems


    Outbound SSH

    Remote instance access


    Sky ATP


    Spotlight Secure integration

    USB modem

    Wireless LAN


    CCC and TCC

    Layer 2 VPNs for Ethernet connections

    Network Address Translation

    Maximize persistent NAT bindings

    Packet Capture

    Packet capture

    Note: Only supported on physical interfaces and tunnel interfaces, such as gr, ip, and st0. Packet capture is not supported on a redundant Ethernet interface (reth).


    BGP extensions for IPv6

    BGP Flowspec

    BGP route reflector

    Bidirectional Forwarding Detection (BFD) for BGP



    Layer 3 Q-in-Q VLAN tagging

    Transparent Mode


    Unified Threat Management

    Express AV

    Kaspersky AV

    Upgrading and Rebooting


    Boot instance configuration

    Boot instance recovery

    Dual-root partitioning

    OS rollback

    User Interfaces


    SRC application

    Junos Space Virtual Director

    User Firewall

    SSL proxy

    Modified: 2018-03-20