Hardware

• The 10x10GbE SFPP and 10x1GbE SFP MIC supports the MPC2E-NG and MPC3E-NG line cards on the MX240, MX480, MX960, MX2010, and MX2020 routers.This MIC has 10 ports that support 1-Gbps small form-factor pluggable (SFP) and 10-Gbps small form-factor pluggable plus (SFP+) transceivers along with PTP and MACsec capabilities.

  [See pic-mode and number-of-ports.]

• We support a new MIC, MIC-3D-10GbE-SFP-E, for the MPC2E-3D-NG, MPC2E-3D-NG-Q, MPC3E-3DNG, and MPC3E-3D-NG-Q line cards.The MIC has ten 10GbE ports that support SFP and SFP+ transceivers. The ports provide MACsec support.

  [See MICs Supported by MX Series Routers.]

High availability and resiliency

• Support for MIC (MIC-3D-10GbE-SFP-E) resiliency in MX Series devices.

• Support for MIC with 1GbE SFP or 10GbE SFP+ ports along with PTP and MACsec capabilities on the line cards.

  [See Port Speed on MX Routers]

• Supported transceivers, optical interfaces, and DAC cables—Select your product in the Hardware Compatibility Tool to view the supported transceivers, optical interfaces, and direct attach copper (DAC) cables for your platform or interface module. We update the HCT and provide the first supported release information when the optic becomes available.

• Oversubscription and preclassification support for MIC MIC-3D-10GbE-SFP-E on MX Series devices.

  [See Oversubscription.]

MACsec

• Support for Media Access Control Security (MACsec) on physical and virtual interfaces with GCM-AES-128, GCM-AES-256, GCM-AES-XPN-128, and GCM-AES-XPN-256 encryption. Both physical and virtual interfaces support static connectivity association key (CAK) mode. Only physical interfaces support dynamic CAK mode, preshared key (PSK) hitless rollover keychain, and aggregated Ethernet.

  [See Configuring MACsec.]

• Precision Time Protocol with Media Access Control Security encryption (MIC-3D-10GbE-SFP-E) enables the simultaneous support of Precision Time Protocol (PTP) and Media Access Control Security (MACsec) encryption on a single port.

  The following limitations apply:

  • The maximum number of MACsec-enabled logical interfaces (IFL) is 200 per system.

  • The maximum number of MACsec-enabled ports with physical interfaces (IFDs) and IFLs where MACsec and PTP are enabled together on different ports is 200 per system.

  • The maximum number of IFLs that can be supported on both 1G and 10G ports is 128.

  • PTP in clear text mode is not supported.

Timing

• Synchronous Ethernet with G.8262 standard support on MIC-3D-10GbE-SFP-E. We support Synchronous Ethernet with G.8262 in compliance with the following International Telecommunication Union Telecommunication Standardization (ITU-T) standard to facilitate the transference of clock signals over the Ethernet physical layer.

  Synchronous Ethernet (G.8262). Timing and synchronization aspects in packet networks. Specifies timing characteristics of synchronous Ethernet equipment clock (EEC).

  [See Synchronous Ethernet.]

• Precision Time Protocol with G.8275.1 standard support on MIC-3D-10GbE-SFP-E. We support Precision Time Protocol with G.8275.1 in compliance with the following International Telecommunication Union Telecommunication Standardization (ITU-T) standards to facilitate distribution of precise time and frequency over packet-switched Ethernet networks.

  • G.8275.1—PTP profile for phase and time (full timing support)

  • G.8275.1—PTP profile for phase and time over link aggregation group (LAG)

  [See Precision Time Protocol.]

Chassis

• Chassis and field-replaceable unit (FRU) management support, including:

  • Temperature threshold monitoring using sensors

  • Power supply unit (PSU) control

  • PIC detection

  • Fabric management

  • Fan speed adjustment as per EM policy

  [See Configuring Ambient Temperature and Chassis-Level User Guide.]

Chassis Cluster

• Support for in-service software upgrade (ISSU) and dual control links with Media Access Control Security (MACsec)

  [See Upgrading a Chassis Cluster Using In-Service Software Upgrade and Media Access Control Security (MACsec) on Chassis Cluster.]

Class of service (CoS)

• Support for CoS

  [See Understanding Class of Service.]

Hardware

• The SRX4300 is a 1-U chassis with the following ports:

  • Eight 10 multi-rate Gigabit Ethernet interface (mge) BASE-T ports

  • Eight 10-Gigabit Ethernet (GbE) SFP+ ports

  • Four 25GbE SFP28 ports

  • Six 100GbE QSFP28 ports

  • Two 1GbE SFP HA ports

  All ports are MACsec capable and support both AC and DC variants.

  To install the SRX4300 hardware and perform initial software configuration, routine maintenance, and troubleshooting, see SRX4300 Firewall Hardware Guide.

  [See Feature Explorer for the complete list of features for any platform.]

High availability (HA) and resiliency

• Support for BFD

  • Support up to 3 x 300-millisecond (msec) failure detection time

  • Support up to 100 BFD sessions

  [See Understanding BFD for Static Routes for Faster Network Failure Detection and Understanding How BFD Detects Network Failures.]

• Multinode High Availability supports Auto Discovery VPN (ADVPN) in node-local tunnel deployment.

  Node-local tunnels enhance Multinode High Availability by providing separate tunnels from a VPN peer device to both nodes in the setup. With ADVPN, VPN tunnels can be established dynamically between spokes. Combining ADVPN with Multinode High Availability in node-local tunnel deployment ensures robust network connectivity, efficient resource utilization, and seamless failover capability.

  [See IPsec VPN Support in Multinode High Availability.]

• Support for Multinode High Availability in routing, hybrid, and default gateway modes

  [See Multinode High Availability.]

• Provides platform software resiliency support for the following hardware components:

  • CPU

  • Peripheral Component Interconnect (PCI)

  • Memory

  • Solid state device (SSD)

  • Inter-integrated circuit (I2C)

  • Temperature sensor

  • Voltage sensor

  • Fan

  • Power supply units (PSUs) in 1+1 redundancy mode

  When a hardware component fails, the Junos OS software:

  • Logs the message with failure details, including time stamp, module name, and component name.

  • Raises or clears alarms, if applicable.

  • Makes the LED glow to indicate FRU fault.

  • Performs local action, such as self-healing and taking the component out of service.

  [See Chassis-Level User Guide.]

Interfaces

• Interfaces support includes four PICs with the following default speeds:

  • PIC 0 with 10 Gbps (Copper)

  • PIC 1 with 10 Gbps (SFP+)

  • PIC 2 with 25 Gbps (SFP28)

  • PIC 3 with 100 Gbps (QSFP28)

  Junos OS creates PIC 0 by default. You can create PIC 1, PIC 2, and PIC 3 interfaces by inserting SFP+, SFP28, and QSFP28 transceivers, respectively.

  [See Port Speed on SRX Series Firewalls.]

• Mixed speed support on SFP28 ports.

  You can configure two options in PIC mode; 1GbE/10GbE combined and 25GbE.

  [See Port Speed on SRX Series Firewalls.]

Junos telemetry interface (JTI)

• Stream data from a device to a collector using basic JTI sensors and new flow monitoring sensors. Junos OS supports the following flow sensors:

  • PIC CPU utilization /junos/security/spu/cpu

  • Flow session and flow packets /junos/security/spu/flow

  • Flow session and flow packets for logical systems /junos/security/spu/flow/lsys

  [For state sensors, see Junos YANG Data Model Explorer.]

Layer 7 security features

• Support for advanced policy-based routing (APBR)

  [See Advanced Policy-Based Routing.]

• Support for application identification (AppID)

  [See Application Identification.]

• Support for application quality of experience (AppQoE)

  [See Application Quality of Experience.]

• Support for application quality of service (AppQoS)

  [See Application QoS.]

• Support for Content Security

  [See Content Security Overview.]

• Support for intrusion detection and prevention (IDP)

  [See Intrusion Detection and Prevention Overview.]

• Support for Juniper ATP Cloud

  [See File Scanning Limits.]

• Support for Juniper Networks Deep Packet Inspection-Decoder (JDPI)

  [See Juniper Networks Deep Packet Inspection-Decoder (JDPI-Decoder).]

• Support for SSL proxy

  [See SSL Proxy.]

MACsec

• Support for MACsec in static CAK mode on physical interfaces with the following encryptions:

  • GCM-AES-128

  • GCM-AES-256

  • GCM-AES-XPN-128

  • GCM-AES-XPN-256

  Channelized ports and switch-to-switch connections support this feature.

  [See Configuring MACsec.]

Network management and monitoring

• Support for filter-based packet capture for real-time data packets traveling over the network. Support for datapath debugging is not yet available.

  [See Example: Configure a Firewall Filter for Packet Capture.]

Remote access

• Support for remote access VPN using Juniper Secure Connect

  [SeeJuniper Secure Connect Administrator Guide.]

Services applications

• Support for Application Layer Gateway (ALG)

  [See ALG Overview.]

• Support for ADVPN configuration with IPv6 address on firewalls that run the iked process for IPsec VPN service

  [See Auto Discovery VPNs.]

• Support for ChaCha20-Poly1305 authenticated encryption algorithm for IPsec VPN services

  [See proposal (Security IKE) and proposal (Security IPsec).]

• Support for multicast traffic in AutoVPN and ADVPN with iked process using PIM sparse mode over st0 P2MP interface on firewalls that run the iked process for IPsec VPN service. Supports IPv4 multicast in PIM sparse mode.

  [See AutoVPN and Auto Discovery VPNs.]

• Support for DNS

  [See Understanding and Configuring DNS, DNS ALG, DNS Proxy Overview, DNS Names in Address Books, and DNSSEC Overview.]

• Support for user authentication

  [See User Authentication Overview.]

• Support for security policies

  [See Configuring Security Policies.]

• Support for security zones

  [See Security Zones.]

• Support for Network Address Translation (NAT)

  [See NAT Configuration Overview.]

• Support for screens options for attack detection and prevention

  [See Screens Options for Attack Detection and Prevention.]

• Support for traffic processing

  [See Traffic Processing on SRX Series Firewalls Overview.]

• Support for integrated user firewall

  [See Configure Integrated User Firewall.]

• Support for IPsec VPN with iked process. Support for the policy-based VPN and Group VPN is not yet available.

  [See IPsec VPN Configuration Overview.]

• Support for PowerMode IPsec (PMI)

  [See PowerMode IPsec.]

• Support for DHCP

  [See DHCP Overview.]

• Support for GTP and SCTP

  [See Monitoring GTP Traffic and SCTP Overview.]

• Support for on-box reporting

  [See report (Security Log).]

• Support for inline active flow monitoring

  [See Understand Inline Active Flow Monitoring.]

• Support for TWAMP

  [See Understand Two-Way Active Measurement Protocol.]

• Support for RPM

  [SeeReal-Time Performance Monitoring for SRX Devices.]

• Support for logical systems

  [See Logical Systems Overview.]

Software Installation and Upgrade

• Support for BIOS, secure boot, and bootloader

  [See Secure Boot and Bootloader]

• Support for jfirmware

  [See Installing and Upgrading Firmware, request system firmware upgrade, and show system firmware.]

• Support for secure zero-touch provisioning (ZTP)

  [See Secure Zero Touch Provisioning.]

User access and authentication administration

Support for Trusted Platform Module (TPM)-based certificates for advanced anti-malware (AAMW) protection To use the TPM-based certificates:

• The device loads the TPM-based certificate using PKI during the device's start and restart operations. To view the TPM-based certificate ID, referred to as idev-id, use the show security pki node-local local-certificate certificate-id idev-id command.

• The SSL Initiation uses the certificate for Transport Layer Security (TLS) connection to authenticate the device. You can configure the tpm option using the set services ssl initiation profile profile-name crypto-hardware-offload command.

See show security pki node-local local-certificate and profile (SSL Initiation).]