Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Junos OS Features Supported on cSRX Container Firewall

cSRX Container Firewall provides Layer 4 through 7 secure services in a containerized environment.

This section presents an overview of the Junos OS features on cSRX Container Firewall.

Supported SRX Series Features on cSRX Container Firewall

Table 1 provides a high-level summary of the feature categories supported on cSRX Container Firewall and any feature considerations.

To determine the Junos OS features supported on cSRX Container Firewall, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. See Feature Explorer.

Table 1: SRX Series Features Supported on cSRX Container Firewall



Application Firewall (AppFW)

Application Firewall Overview

Application Identification (AppID)

Understanding Application Identification Techniques

Application Tracking (AppTrack)

Understanding AppTrack

Basic firewall policy

Understanding Security Basics

Brute force attack mitigation

Central management

CLI only. No J-Web support.

DDoS protection

DoS Attack Overview

DoS protection

DoS Attack Overview


A cSRX Container Firewall container supports 17 interfaces:

  • 1 Out-of-band management Interface (eth0)

  • 16 In-band interfaces (ge-0/0/0 to ge-0/0/15).

Network Interfaces

Intrusion Detection and Prevention (IDP)

For SRX Series IPS configuration details, see:

Understanding Intrusion Detection and Prevention for SRX Series

IPv4 and IPv6

Understanding IPv4 Addressing

Understanding IPv6 Address Space

Jumbo frames

Understanding Jumbo Frames Support for Ethernet Interfaces

Malformed packet protection

Network Address Translation (NAT)

Includes support for all NAT functionality on the cSRX Container Firewall platform, such as:

  • Source NAT

  • Destination NAT

  • Static NAT

  • Persistent NAT and NAT64

  • NAT hairpinning

  • NAT for multicast flows

For SRX Series NAT configuration details, see:

Introduction to NAT


Basic Layer 3 forwarding with VLANs.

Layer 2 through 3 forwarding functions: secure-wire forwarding or static routing forwarding

SYN cookie protection

Understanding SYN Cookie Protection

System Logs and Real-Time Logs

Starting in Junos OS Release 20.1R1, you can monitor traffic using system logs and RTlogs.

User Firewall

Includes support for all user firewall functionality on the cSRX Container Firewall platform, such as:

  • Policy enforcement with matching source identity criteria

  • Logging with source identity information

  • Integrated user firewall with active directory

  • Local authentication

For SRX Series user firewall configuration details, see:

Overview of Integrated User Firewall

Content Security

Includes support for all Content Security functionality on the cSRX Container Firewall platform, such as:

  • Antispam

  • Sophos Antivirus

  • Web filtering

  • Content filtering

For SRX Series Content Security configuration details, see:

Unified Threat Management Overview

For SRX Series Content Security antispam configuration details, see:

Antispam Filtering Overview

Zones and zone-based IP spoofing

Understanding IP Spoofing

SRX Series Features Not Supported on cSRX Container Firewall

Table 2 lists SRX Series features that are not applicable in a containerized environment, that are not currently supported, or that have qualified support on cSRX Container Firewall.

Table 2: SRX Series Features Not Supported on cSRX Container Firewall


SRX Series Feature

Application Layer Gateways

Avaya H.323

Authentication with IC Series Devices

Layer 2 enforcement in UAC deployments


UAC-IDP and UAC-Content Security also are not supported.

Class of Service

High-priority queue on SPC


Data Plane Security Log Messages (Stream Mode)

TLS protocol

Diagnostics Tools

Flow monitoring cflowd version 9

Ping Ethernet (CFM)

Traceroute Ethernet (CFM)

DNS Proxy

Dynamic DNS

Ethernet Link Aggregation

LACP in standalone or chassis cluster mode

Layer 3 LAG on routed ports

Static LAG in standalone or chassis cluster mode

Ethernet Link Fault Management

Physical interface (encapsulations)



Interface family

ccc, tcc


Flow-Based and Packet-Based Processing

End-to-end packet debugging

Network processor bundling

Services offloading


Aggregated Ethernet interface

IEEE 802.1X dynamic VLAN assignment

IEEE 802.1X MAC bypass

IEEE 802.1X port-based authentication control with multisupplicant support

Interleaving using MLFR


PPP interface

PPPoE-based radio-to-router protocol

PPPoE interface

Promiscuous mode on interfaces


Acadia - Clientless VPN


Multicast for AutoVPN


All variants of IPsec are not supported.

IPv6 Support

DS-Lite concentrator (also known as AFTR)

DS-Lite initiator (also known as B4)

Log File Formats for System (Control Plane) Logs

Binary format (binary)




Chassis cluster


Hardware acceleration

High availability


Logical systems


Outbound SSH

Remote instance access


ATP Cloud


Spotlight Secure integration

USB modem

Wireless LAN



Layer 2 VPNs for Ethernet connections

Network Address Translation

Maximize persistent NAT bindings

Packet Capture

Packet capture


Only supported on physical interfaces and tunnel interfaces, such as gr, ip, and st0. Packet capture is not supported on a redundant Ethernet interface (reth).


BGP extensions for IPv6

BGP Flowspec

BGP route reflector

Bidirectional Forwarding Detection (BFD) for BGP



Layer 3 Q-in-Q VLAN tagging

Unsupported System Logs and Real-Time log functions

cSRX Container Firewall does not support all the log functions supported on other SRX Series Firewalls or vSRX Virtual Firewall instances due to limited CPU power and disk capacity.

Unsupported system logs and real-time log functions on cSRX Container Firewall are:

  • The binary log

  • On box logs (the LLMD daemon is not ported.)

  • On box reports (the LLMD daemon is not ported.)

  • TLS is not supported for sending stream mode security log to remote log server.

  • LSYS and Tenant related functions.

Transparent Mode

Content Security

Content Security

Express AV

Kaspersky AV

Upgrading and Rebooting


Boot instance configuration

Boot instance recovery

Dual-root partitioning

OS rollback

User Interfaces


SRC application

Junos Space Virtual Director

Application Security

SSL proxy