Hardware
-
New SRX4300 Firewall—Starting in Junos OS Release 24.2R1, we introduce the midrange SRX4300 Firewall. The SRX4300 Firewall provides next-generation firewall capabilities and advanced threat detection and mitigation. This firewall is ideal for small and medium sized enterprise edge, campus edge, data center edge firewall, and secure VPN router deployments for distributed enterprise use cases.
Table 1: Features Supported on SRX4300 Firewall Feature
Description
Chassis
-
Chassis and field-replaceable unit (FRU) management support, including:
-
Temperature threshold monitoring using sensors
-
Power supply unit (PSU) control
-
PIC detection
-
Fabric management
-
Fan speed adjustment as per EM policy
[See Configuring Ambient Temperature and Chassis-Level User Guide.]
-
Chassis Cluster
-
Support for in-service software upgrade (ISSU) and dual control links with Media Access Control Security (MACsec)
[See Upgrading a Chassis Cluster Using In-Service Software Upgrade and Media Access Control Security (MACsec) on Chassis Cluster.]
Class of service (CoS)
-
Support for CoS
Hardware
-
The SRX4300 is a 1-U chassis with the following ports:
-
Eight 10 multi-rate Gigabit Ethernet interface (mge) BASE-T ports
-
Eight 10-Gigabit Ethernet (GbE) SFP+ ports
-
Four 25GbE SFP28 ports
-
Six 100GbE QSFP28 ports
-
Two 1GbE SFP HA ports
All ports are MACsec capable and support both AC and DC variants.
To install the SRX4300 hardware and perform initial software configuration, routine maintenance, and troubleshooting, see SRX4300 Firewall Hardware Guide.
[See Feature Explorer for the complete list of features for any platform.]
-
High availability (HA) and resiliency
-
Support for BFD
-
Support up to 3 x 300-millisecond (msec) failure detection time
-
Support up to 100 BFD sessions
[See Understanding BFD for Static Routes for Faster Network Failure Detection and Understanding How BFD Detects Network Failures.]
-
-
Multinode High Availability supports Auto Discovery VPN (ADVPN) in node-local tunnel deployment.
Node-local tunnels enhance Multinode High Availability by providing separate tunnels from a VPN peer device to both nodes in the setup. With ADVPN, VPN tunnels can be established dynamically between spokes. Combining ADVPN with Multinode High Availability in node-local tunnel deployment ensures robust network connectivity, efficient resource utilization, and seamless failover capability.
-
Support for Multinode High Availability in routing, hybrid, and default gateway modes
[See Multinode High Availability.]
-
Provides platform software resiliency support for the following hardware components:
-
CPU
-
Peripheral Component Interconnect (PCI)
-
Memory
-
Solid state device (SSD)
-
Inter-integrated circuit (I2C)
-
Temperature sensor
-
Voltage sensor
-
Fan
-
Power supply units (PSUs) in 1+1 redundancy mode
When a hardware component fails, the Junos OS software:
-
Logs the message with failure details, including time stamp, module name, and component name.
-
Raises or clears alarms, if applicable.
-
Makes the LED glow to indicate FRU fault.
-
Performs local action, such as self-healing and taking the component out of service.
[See Chassis-Level User Guide.]
-
Interfaces
-
Interfaces support includes four PICs with the following default speeds:
-
PIC 0 with 10 Gbps (Copper)
-
PIC 1 with 10 Gbps (SFP+)
-
PIC 2 with 25 Gbps (SFP28)
-
PIC 3 with 100 Gbps (QSFP28)
Junos OS creates PIC 0 by default. You can create PIC 1, PIC 2, and PIC 3 interfaces by inserting SFP+, SFP28, and QSFP28 transceivers, respectively.
-
-
Mixed speed support on SFP28 ports.
You can configure two options in PIC mode; 1GbE/10GbE combined and 25GbE.
Junos telemetry interface (JTI)
-
Stream data from a device to a collector using basic JTI sensors and new flow monitoring sensors. Junos OS supports the following flow sensors:
-
PIC CPU utilization /junos/security/spu/cpu
-
Flow session and flow packets /junos/security/spu/flow
-
Flow session and flow packets for logical systems /junos/security/spu/flow/lsys
[For state sensors, see Junos YANG Data Model Explorer.]
-
Layer 7 security features
-
Support for advanced policy-based routing (APBR)
-
Support for application identification (AppID)
[See Application Identification.]
-
Support for application quality of experience (AppQoE)
-
Support for application quality of service (AppQoS)
[See Application QoS.]
-
Support for Content Security
[See Content Security Overview.]
-
Support for intrusion detection and prevention (IDP)
-
Support for Juniper ATP Cloud
[See File Scanning Limits.]
-
Support for Juniper Networks Deep Packet Inspection-Decoder (JDPI)
[See Juniper Networks Deep Packet Inspection-Decoder (JDPI-Decoder).]
-
Support for SSL proxy
[See SSL Proxy.]
MACsec
-
Support for MACsec in static CAK mode on physical interfaces with the following encryptions:
-
GCM-AES-128
-
GCM-AES-256
-
GCM-AES-XPN-128
-
GCM-AES-XPN-256
Channelized ports and switch-to-switch connections support this feature.
[See Configuring MACsec.]
-
Network management and monitoring
-
Support for filter-based packet capture for real-time data packets traveling over the network. Support for datapath debugging is not yet available.
[See Example: Configure a Firewall Filter for Packet Capture.]
Remote access
-
Support for remote access VPN using Juniper Secure Connect
Services applications
-
Support for Application Layer Gateway (ALG)
[See ALG Overview.]
-
Support for ADVPN configuration with IPv6 address on firewalls that run the iked process for IPsec VPN service
[See Auto Discovery VPNs.]
-
Support for ChaCha20-Poly1305 authenticated encryption algorithm for IPsec VPN services
[See proposal (Security IKE) and proposal (Security IPsec).]
-
Support for multicast traffic in AutoVPN and ADVPN with iked process using PIM sparse mode over st0 P2MP interface on firewalls that run the iked process for IPsec VPN service. Supports IPv4 multicast in PIM sparse mode.
[See AutoVPN and Auto Discovery VPNs.]
-
Support for DNS
[See Understanding and Configuring DNS, DNS ALG, DNS Proxy Overview, DNS Names in Address Books, and DNSSEC Overview.]
-
Support for user authentication
[See User Authentication Overview.]
-
Support for security policies
-
Support for security zones
[See Security Zones.]
-
Support for Network Address Translation (NAT)
[See NAT Configuration Overview.]
-
Support for screens options for attack detection and prevention
-
Support for traffic processing
-
Support for integrated user firewall
- Support for IPsec VPN with iked process. Support for the policy-based VPN and Group VPN is not yet available.
-
Support for PowerMode IPsec (PMI)
[See PowerMode IPsec.]
-
Support for DHCP
[See DHCP Overview.]
-
Support for GTP and SCTP
[See Monitoring GTP Traffic and SCTP Overview.]
-
Support for on-box reporting
[See report (Security Log).]
-
Support for inline active flow monitoring
-
Support for TWAMP
-
Support for RPM
-
Support for logical systems
[See Logical Systems Overview.]
Software Installation and Upgrade
-
Support for BIOS, secure boot, and bootloader
-
Support for jfirmware
[See Installing and Upgrading Firmware, request system firmware upgrade, and show system firmware.]
-
Support for secure zero-touch provisioning (ZTP)
User access and authentication administration
Support for Trusted Platform Module (TPM)-based certificates for advanced anti-malware (AAMW) protection To use the TPM-based certificates:
-
The device loads the TPM-based certificate using PKI during the device's start and restart operations. To view the TPM-based certificate ID, referred to as
idev-id
, use theshow security pki node-local local-certificate certificate-id idev-id
command. -
The SSL Initiation uses the certificate for Transport Layer Security (TLS) connection to authenticate the device. You can configure the
tpm
option using theset services ssl initiation profile profile-name crypto-hardware-offload
command.
See show security pki node-local local-certificate and profile (SSL Initiation).]
-