Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


SRX1400, SRX3400, and SRX3600 Firewall Hardware Capabilities and Limitations

For SRX1400, SRX3400, and SRX3600 firewalls, each Input/Output Card (IOC), Flexible PIC Concentrator (FPC), or IOC slot has only one Physical Interface Card (PIC), which contains either two 10-Gigabit Ethernet ports or sixteen 1-Gigabit Ethernet ports. Table 1 shows the maximum number of cards and ports allowed in SRX1400, SRX3400, and SRX3600 firewalls.


The number of ports the Network Processing Unit (NPU) needs to handle might be different from the fixed 10:1 port to NPU ratio for 1-Gigabit IOC, or the 1:1 ratio for the 10-Gigabit IOC that is needed on the SRX5600 and SRX5800 firewalls, leading to oversubscription on the SRX1400, SRX3400, and SRX3600 firewalls.

Platform support depends on the Junos OS release in your installation.

Table 1: Available NPCs and IO Ports for SRX1400, SRX3400, and SRX3600 Firewalls



IO Ports




108 (16 x 6 + 12)




76 (16 x 4 + 12)




28 (16 x 1 + 12)


SRX3400 and SRX3600 firewalls allow you to install up to three Network Processing Cards (NPCs). In a single NPC configuration, the NPC has to process all of the packets to and from each IOC. However, when there is more than one NPC available, an IOC will only exchange packets with a preassigned NPC. You can use the set chassis ioc-npc-connectivity CLI statement to configure the IOC-to-NPC mapping. By default, the mapping is assigned so that the load is shared equally among all NPCs. When the mapping is changed, for example, an IOC or NPC is removed, or you have mapped a specific NPC to an IOC, then the firewall has to be restarted.


SRX1400 firewalls support a single NPC or an NSPC combo card.

For SRX1400, SRX3400, and SRX3600 firewalls, the IOC supports the following hierarchical scheduler characteristics:

  • Level 1- Shaping at the physical interface (ifd)

  • Level 2- Shaping and scheduling at the logical interface level (ifl)

  • Level 3- Scheduling at the queue level


Interface set (iflset) is not supported for SRX1400, SRX3400, and SRX3600 firewalls.

In SRX5600 and SRX5800 firewalls, an NPC supports 32 port-level shaping profiles at level 1, such that each front port can have its own shaping profile.

In SRX1400, SRX3400, and SRX3600 firewalls, an NPC supports only 16 port-level shaping profiles in the hardware, including two profiles that are predefined for 10-GB and 1-GB shaping rates. The user can configure up to 14 different levels of shaping rates. If more levels are configured, then the closest match found in the 16 profiles will be used instead.

For example, assume that a system is already configured with the following rates for ifd:

10 Mbps, 20 Mbps, 40 Mbps, 60 Mbps, 80 Mbps, 100 Mbps, 200 Mbps, 300 Mbps, 400 Mbps, 500 Mbps, 600 Mbps, 700 Mbps, 800 Mbps, 900 Mbps, 1 GB (predefined), 10 GB (predefined)

Each of these 16 rates is programmed into one of the 16 profiles in the hardware; then consider the following two scenarios:

  • Scenario 1: If the user changes one port’s shaping rate from 1 GB to 100 Mbps, which is already programmed in one of the 16 profiles, the profile with a 100 Mbps shaping rate will be used by the port.

  • Scenario 2: If the user changes another port’s shaping rate from 1 GB to 50 Mbps, which is not in the shaping profiles, the closest matching profile with a 60 Mbps shaping rate will be used instead.

When scenario 2 occurs, not all of the user-configured rates can be supported by the hardware. Even if more than 14 different rates are specified, only 14 will be programmed in the hardware. Which 14 rates are programmed in the hardware depends on many factors. For this reason, we recommend that you plan carefully and use no more than 14 levels of port-level shaping rates.

Each device supports Weighed Random Early Discard (WRED) at the port level, and each NPU has 512 MB of frame memory. Also, 10-Gigabit Ethernet ports get more buffers than the 1-Gigabit Ethernet ports. Buffer availability depends on how much bandwidth (number of NPCs, ports, 1 GB or 10 GB, and so on) the device has to support. The more bandwidth that the device has to support, the less buffer is available. When two NPCs are available, the amount of frame buffer available is doubled.