Junos OS Features Supported on cSRX Container Firewall
cSRX Container Firewall provides Layer 4 through 7 secure services in a containerized environment.
This section presents an overview of the Junos OS features on cSRX Container Firewall.
Supported SRX Series Features on cSRX Container Firewall
Table 1 provides a high-level summary of the feature categories supported on cSRX Container Firewall and any feature considerations.
To determine the Junos OS features supported on cSRX Container Firewall, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. See Feature Explorer.
Feature |
Considerations |
|---|---|
Application Firewall (AppFW) |
|
Application Identification (AppID) |
|
Application Tracking (AppTrack) |
|
Basic firewall policy |
|
Brute force attack mitigation |
|
Central management |
CLI only. No J-Web support. |
DDoS protection |
|
DoS protection |
|
Interfaces |
A cSRX Container Firewall container supports 17 interfaces:
|
Intrusion Detection and Prevention (IDP) |
For SRX Series IPS configuration details, see: Understanding Intrusion Detection and Prevention for SRX Series |
IPv4 and IPv6 |
|
Jumbo frames |
|
Malformed packet protection |
|
Network Address Translation (NAT) |
Includes support for all NAT functionality on the cSRX Container Firewall platform, such as:
For SRX Series NAT configuration details, see: |
Routing |
Basic Layer 3 forwarding with VLANs. Layer 2 through 3 forwarding functions: secure-wire forwarding or static routing forwarding |
SYN cookie protection |
|
System Logs and Real-Time Logs |
Starting in Junos OS Release 20.1R1, you can monitor traffic using system logs and RTlogs. |
User Firewall |
Includes support for all user firewall functionality on the cSRX Container Firewall platform, such as:
For SRX Series user firewall configuration details, see: |
Content Security |
Includes support for all Content Security functionality on the cSRX Container Firewall platform, such as:
For SRX Series Content Security configuration details, see: Unified Threat Management Overview For SRX Series Content Security antispam configuration details, see: |
Zones and zone-based IP spoofing |
SRX Series Features Not Supported on cSRX Container Firewall
Table 2 lists SRX Series features that are not applicable in a containerized environment, that are not currently supported, or that have qualified support on cSRX Container Firewall.
|
SRX Series Feature |
|---|---|
| Application Layer Gateways | |
Avaya H.323 |
|
| Authentication with IC Series Devices | |
Layer 2 enforcement in UAC deployments Note:
UAC-IDP and UAC-Content Security also are not supported. |
|
| Class of Service | |
High-priority queue on SPC |
|
Tunnels |
|
| Data Plane Security Log Messages (Stream Mode) | |
TLS protocol |
|
| Diagnostics Tools | |
Flow monitoring cflowd version 9 |
|
Ping Ethernet (CFM) |
|
Traceroute Ethernet (CFM) |
|
| DNS Proxy | |
Dynamic DNS |
|
| Ethernet Link Aggregation | |
LACP in standalone or chassis cluster mode |
|
Layer 3 LAG on routed ports |
|
Static LAG in standalone or chassis cluster mode |
|
| Ethernet Link Fault Management | |
Physical interface (encapsulations) |
|
|
|
|
|
Interface family |
|
|
|
|
|
| Flow-Based and Packet-Based Processing | |
End-to-end packet debugging |
|
Network processor bundling |
|
Services offloading |
|
| Interfaces | |
Aggregated Ethernet interface |
|
IEEE 802.1X dynamic VLAN assignment |
|
IEEE 802.1X MAC bypass |
|
IEEE 802.1X port-based authentication control with multisupplicant support |
|
Interleaving using MLFR |
|
PoE |
|
PPP interface |
|
PPPoE-based radio-to-router protocol |
|
PPPoE interface |
|
Promiscuous mode on interfaces |
|
| VPNs | |
Acadia - Clientless VPN |
|
DVPN |
|
Multicast for AutoVPN |
|
| IPsec | All variants of IPsec are not supported. |
| IPv6 Support | |
DS-Lite concentrator (also known as AFTR) |
|
DS-Lite initiator (also known as B4) |
|
| Log File Formats for System (Control Plane) Logs | |
Binary format (binary) |
|
WELF |
|
| Miscellaneous | |
AppQoS |
|
Chassis cluster |
|
GPRS |
|
Hardware acceleration |
|
High availability |
|
J-Web |
|
Logical systems |
|
MPLS |
|
Outbound SSH |
|
Remote instance access |
|
RESTCONF |
|
ATP Cloud |
|
SNMP |
|
Spotlight Secure integration |
|
USB modem |
|
Wireless LAN |
|
| MPLS | |
CCC and TCC |
|
Layer 2 VPNs for Ethernet connections |
|
| Network Address Translation | |
Maximize persistent NAT bindings |
|
| Packet Capture | |
Packet capture Note:
Only supported on physical interfaces and tunnel interfaces, such as gr, ip, and st0. Packet capture is not supported on a redundant Ethernet interface (reth). |
|
| Routing | |
BGP extensions for IPv6 |
|
BGP Flowspec |
|
BGP route reflector |
|
Bidirectional Forwarding Detection (BFD) for BGP |
|
CRTP |
|
| Switching | |
Layer 3 Q-in-Q VLAN tagging |
|
Unsupported System Logs and Real-Time log functions |
cSRX Container Firewall does not support all the log functions supported on other SRX Series Firewalls or vSRX Virtual Firewall instances due to limited CPU power and disk capacity. Unsupported system logs and real-time log functions on cSRX Container Firewall are:
|
| Transparent Mode | |
Content Security |
|
| Content Security | |
Express AV |
|
Kaspersky AV |
|
| Upgrading and Rebooting | |
Autorecovery |
|
Boot instance configuration |
|
Boot instance recovery |
|
Dual-root partitioning |
|
OS rollback |
|
| User Interfaces | |
NSM |
|
SRC application |
|
Junos Space Virtual Director |
|
| Application Security | |
SSL proxy |
|