Device Security
-
VRF-aware zone-based security policies with flow enhancements for Layer 3 VPN over EVPN-VXLAN and MPLS (SRX Series and vSRX 3.0)—You can enforce security policies for each virtual routing and forwarding (VRF) instance by creating VRF-aware security zones. This approach helps improve scalability and intuitive policy management across EVPN‑VXLAN and Layer 3 VPN (L3VPN) segments. You can define zones by VRF instance, not by VRF group, and implement intra‑VRF or inter‑VRF policies using the CLI or the management user interface.
[See Security Policies with VRF-Aware Security Zones, Flow Management in SRX Series Devices Using VRF Routing Instance, show security flow session, and security-zone.]
-
Group-based policy in VXLAN architecture (SRX Series and vSRX)—Use a group-based policy (GBP) to create microsegmentation in VXLAN architecture by defining application-centric policies. Associate endpoints with tags that identify business functions to manage network access and direct traffic between endpoint groups. Enforce granular access control using new match options for source and destination tags. This approach strengthens security and simplifies policy enforcement across campus networks.
-
FQDN ID for enhanced policy management and dynamic IP resolution (SRX Series, cSRX, and vSRX)—Use unique fully qualified domain name (FQDN) ID mappings to manage frequent IP address changes. The system stores each FQDN’s identifier (ID) in the Routing Engine and Packet Forwarding Engine. This FQDN ID storage enables quick lookups without constant policy updates, improving stability. This feature runs by default.