Junos OS Features Supported on cSRX
cSRX provides Layer 4 through 7 secure services in a containerized environment.
 | Note: While the security services features between cSRX and vSRX are similar, there are scenarios in which each product is the optimal option in your environment. For example, the cSRX does not support routing instances and protocols, switching features, MPLS LSPs and MPLS applications, chassis cluster, and software upgrade features. For environments that require routing or switching, a vSRX VM provides the best feature set. For environments focused on security services in a Docker containerized deployment, cSRX is a better fit. |
This section presents an overview of the Junos OS features on cSRX. It includes
Supported SRX Series Features on cSRX
Table 1 provides a high-level summary of the feature categories supported on cSRX and any feature considerations.
To determine the Junos OS features supported on cSRX, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. See Feature Explorer.
Table 1: SRX Series Features Supported on cSRX
Feature | Considerations |
|---|---|
Application Firewall (AppFW) | |
Application Identification (AppID) | |
Application Tracking (AppTrack) | |
Basic firewall policy | |
Brute force attack mitigation | |
Central management | CLI only. No J-Web support. |
DDoS protection | |
DoS protection | |
Interfaces | Two revenue network interfaces (eth1, and eth2). |
Intrusion Detection and Prevention (IDP) | For SRX Series IPS configuration details, see: Understanding Intrusion Detection and Prevention for SRX Series |
IPv4 and IPv6 | |
Jumbo frames | |
Malformed packet protection | |
Network Address Translation (NAT) | Includes support for all NAT functionality on the cSRX platform, such as:
For SRX Series NAT configuration details, see: |
Routing | Basic Layer 3 forwarding with VLANs. Layer 2 through 3 forwarding functions: secure-wire forwarding or static routing forwarding |
SYN cookie protection | |
User Firewall | Includes support for all user firewall functionality on the cSRX platform, such as:
For SRX Series user firewall configuration details, see: |
Unified Threat Management (UTM) | Includes support for all UTM functionality on the cSRX platform, such as:
For SRX Series UTM configuration details, see: Unified Threat Management Overview For SRX Series UTM antispam configuration details, see: |
Zones and zone-based IP spoofing |
SRX Series Features Not Supported on cSRX
Table 2 lists SRX Series features that are not applicable in a containerized environment, that are not currently supported, or that have qualified support on cSRX.
Table 2: SRX Series Features Not Supported on cSRX
| SRX Series Feature |
|---|---|
| Application Layer Gateways | |
Avaya H.323 | |
| Authentication with IC Series Devices | |
Layer 2 enforcement in UAC deployments Note: UAC-IDP and UAC-UTM also are not supported. | |
| Class of Service | |
High-priority queue on SPC | |
Tunnels | |
| Data Plane Security Log Messages (Stream Mode) | |
TLS protocol | |
| Diagnostics Tools | |
Flow monitoring cflowd version 9 | |
Ping Ethernet (CFM) | |
Traceroute Ethernet (CFM) | |
| DNS Proxy | |
Dynamic DNS | |
| Ethernet Link Aggregation | |
LACP in standalone or chassis cluster mode | |
Layer 3 LAG on routed ports | |
Static LAG in standalone or chassis cluster mode | |
| Ethernet Link Fault Management | |
Physical interface (encapsulations) | |
ethernet-ccc | |
extended-vlan-ccc | |
Interface family | |
ccc, tcc | |
ethernet-switching | |
| Flow-Based and Packet-Based Processing | |
End-to-end packet debugging | |
Network processor bundling | |
Services offloading | |
| Interfaces | |
Aggregated Ethernet interface | |
IEEE 802.1X dynamic VLAN assignment | |
IEEE 802.1X MAC bypass | |
IEEE 802.1X port-based authentication control with multisupplicant support | |
Interleaving using MLFR | |
PoE | |
PPP interface | |
PPPoE-based radio-to-router protocol | |
PPPoE interface | |
Promiscuous mode on interfaces | |
| IP Security and VPNs | |
Acadia - Clientless VPN | |
DVPN | |
Hardware IPsec (bulk crypto) Cavium/RMI | |
IPsec tunnel termination in routing instances | |
Multicast for AutoVPN | |
Suite B implementation for IPsec VPN | |
| IPv6 Support | |
DS-Lite concentrator (also known as AFTR) | |
DS-Lite initiator (also known as B4) | |
| Log File Formats for System (Control Plane) Logs | |
Binary format (binary) | |
WELF | |
| Miscellaneous | |
AppQoS | |
Chassis cluster | |
GPRS | |
Hardware acceleration | |
High availability | |
J-Web | |
Logical systems | |
MPLS | |
Outbound SSH | |
Remote instance access | |
RESTCONF | |
Sky ATP | |
SNMP | |
Spotlight Secure integration | |
USB modem | |
Wireless LAN | |
| MPLS | |
CCC and TCC | |
Layer 2 VPNs for Ethernet connections | |
| Network Address Translation | |
Maximize persistent NAT bindings | |
| Packet Capture | |
Packet capture Note: Only supported on physical interfaces and tunnel interfaces, such as gr, ip, and st0. Packet capture is not supported on a redundant Ethernet interface (reth). | |
| Routing | |
BGP extensions for IPv6 | |
BGP Flowspec | |
BGP route reflector | |
Bidirectional Forwarding Detection (BFD) for BGP | |
CRTP | |
| Switching | |
Layer 3 Q-in-Q VLAN tagging | |
| Transparent Mode | |
UTM | |
| Unified Threat Management | |
Express AV | |
Kaspersky AV | |
| Upgrading and Rebooting | |
Autorecovery | |
Boot instance configuration | |
Boot instance recovery | |
Dual-root partitioning | |
OS rollback | |
| User Interfaces | |
NSM | |
SRC application | |
Junos Space Virtual Director | |
| User Firewall | |
SSL proxy | |
